Enable logging from AWS services - Amazon CloudWatch Logs

Enable logging from AWS services

While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to Amazon Simple Storage Service or Amazon Data Firehose. If your main requirement for logs is storage or processing in one of these services, you can easily have the service that produces the logs send them directly to Amazon S3 or Firehose without additional setup.

Even when logs are published directly to Amazon S3 or Firehose, charges apply. For more information, see Vended Logs on the Logs tab at Amazon CloudWatch Pricing.

Some AWS services use a common infrastructure to send their logs. To enable logging from these services, you must be logged in as a user that has certain permissions. Additionally, you must grant permissions to AWS to enable the logs to be sent.

For services that require these permissions, there are two versions of the permissions needed. The services that require these extra permissions are noted as Supported [V1 Permissions] and Supported [V2 Permissions] in the table. For information about these required permissions, see the sections after the table.

Log source Log type Logs sent to CloudWatch Logs Logs sent to Amazon S3 Logs sent to Firehose

Amazon API Gateway access logs

Vended logs

Supported [V1 Permissions]

AWS AppSync logs

Custom logs

Supported

Amazon Aurora MySQL logs

Custom logs

Supported

Amazon Bedrock Knowledge bases logging

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Bedrock AgentCore

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Chime media quality metric logs and SIP message logs

Vended logs

Supported [V1 Permissions]

CloudFront: access logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS CloudHSM audit logs

Custom logs

Supported

CloudWatch Evidently evaluation event logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

CloudWatch Internet Monitor logs

Vended logs Supported [V1 Permissions]

CloudTrail logs

Custom logs

Supported

AWS CodeBuild logs

Custom logs

Supported

Amazon CodeWhisperer event logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Cognito logs

Vended logs Supported [V1 Permissions]

Amazon Connect logs

Custom logs

Supported

AWS DataSync logs

Custom logs

Supported

Amazon ElastiCache (Redis OSS) logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

AWS Elastic Beanstalk logs

Custom logs

Supported

Amazon Elastic Container Service logs

Custom logs

Supported

Amazon Elastic Kubernetes Service control plane logs

Vended logs

Supported

AWS Elemental MediaPackage access logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS Elemental MediaTailor logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]
AWS Entity Resolution logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon EventBridge Pipes logging

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon EventBridge event buses

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS Fargate logs

Custom logs

Supported

AWS Fault Injection Service experiment logs

Vended logs Supported [V1 Permissions]

Amazon FinSpace

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

AWS Global Accelerator flow logs

Vended logs Supported [V1 Permissions]

AWS Glue job logs

Custom logs

Supported

IAM Identity Center error logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Interactive Video Service chat logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

AWS IoT logs

Custom logs

Supported

AWS IoT FleetWise logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

AWS Lambda logs

Vended logs

Supported

Supported

Supported

Amazon Macie logs

Custom logs

Supported

Amazon SES logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS Mainframe Modernization

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Managed Service for Prometheus logs

Vended logs

Supported [V1 Permissions]

Amazon MSK broker logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions] Supported [V1 Permissions]

Amazon MSK Connect logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions] Supported [V1 Permissions]

Amazon MQ logs

Custom logs

Supported

AWS Network Firewall logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions] Supported [V1 Permissions]

Network Load Balancer access logs

Vended logs Supported [V1 Permissions]

OpenSearch logs

Custom logs

Supported

Amazon OpenSearch Service ingestion logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

AWS OpsWorks logs

Custom logs

Supported

AWS PCS logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Relational Database ServicePostgreSQL logs

Custom logs

Supported

Amazon Q Business conversation logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS RoboMaker logs

Custom logs

Supported

Amazon RouteĀ 53 public DNS query logs

Vended logs

Supported

Amazon RouteĀ 53 resolver query logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon SageMaker AI events

Vended logs

Supported [V1 Permissions]

Amazon SageMaker AI worker events

Vended logs

Supported [V1 Permissions]

AWS Site-to_Site VPN logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Simple Email Service logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Simple Notification Service logs

Custom logs

Supported

Amazon Simple Notification Service data protection policy logs

Custom logs

Supported

EC2 Spot Instance data feed files

Vended logs

Supported [V1 Permissions]

AWS Step Functions Express Workflow and Standard Workflow logs

Vended logs

Supported [V1 Permissions]

Storage Gateway audit logs and health logs

Vended logs

Supported [V1 Permissions]

AWS Transfer Family logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

AWS Verified Access logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Virtual Private Cloud flow logs

Vended logs

Supported

Supported [V1 Permissions] Supported [V1 Permissions]

Amazon VPC Lattice access logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]
Amazon VPC Route Server Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS WAF logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

Supported

Amazon WorkMail audit logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]