Enable logging from AWS services

While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to Amazon Simple Storage Service or Amazon Data Firehose. If your main requirement for logs is storage or processing in one of these services, you can easily have the service that produces the logs send them directly to Amazon S3 or Firehose without additional setup.

Even when logs are published directly to Amazon S3 or Firehose, charges apply. For more information, see Vended Logs on the Logs tab at Amazon CloudWatch Pricing.

Some AWS services use a common infrastructure to send their logs. To enable logging from these services, you must be logged in as a user that has certain permissions. Additionally, you must grant permissions to AWS to enable the logs to be sent.

For services that require these permissions, there are two versions of the permissions needed. The services that require these extra permissions are noted as Supported [V1 Permissions] and Supported [V2 Permissions] in the table. For information about these required permissions, see the sections after the table.

Log source	Log type	Logs sent to CloudWatch Logs	Logs sent to Amazon S3	Logs sent to Firehose
Amazon API Gateway access logs	Vended logs	Supported [V1 Permissions]
AWS AppSync logs	Custom logs	Supported
Amazon Aurora MySQL logs	Custom logs	Supported
Amazon Bedrock Knowledge bases logging	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Bedrock AgentCore	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Chime media quality metric logs and SIP message logs	Vended logs	Supported [V1 Permissions]
CloudFront: access logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS CloudHSM audit logs	Custom logs	Supported
CloudWatch Evidently evaluation event logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]
CloudWatch Internet Monitor logs	Vended logs		Supported [V1 Permissions]
CloudTrail logs	Custom logs	Supported
AWS CodeBuild logs	Custom logs	Supported
Amazon CodeWhisperer event logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Cognito logs	Vended logs	Supported [V1 Permissions]
Amazon Connect logs	Custom logs	Supported
AWS DataSync logs	Custom logs	Supported
Amazon ElastiCache (Redis OSS) logs	Vended logs	Supported [V1 Permissions]		Supported [V1 Permissions]
AWS Elastic Beanstalk logs	Custom logs	Supported
Amazon Elastic Container Service logs	Custom logs	Supported
Amazon Elastic Kubernetes Service control plane logs	Vended logs	Supported
AWS Elemental MediaPackage access logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS Elemental MediaTailor logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS Entity Resolution logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon EventBridge Pipes logging	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon EventBridge event buses	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS Fargate logs	Custom logs	Supported
AWS Fault Injection Service experiment logs	Vended logs		Supported [V1 Permissions]
Amazon FinSpace	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
AWS Global Accelerator flow logs	Vended logs		Supported [V1 Permissions]
AWS Glue job logs	Custom logs	Supported
IAM Identity Center error logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Interactive Video Service chat logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
AWS IoT logs	Custom logs	Supported
AWS IoT FleetWise logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
AWS Lambda logs	Vended logs	Supported	Supported	Supported
Amazon Macie logs	Custom logs	Supported
Amazon SES logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS Mainframe Modernization	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Managed Service for Prometheus logs	Vended logs	Supported [V1 Permissions]
Amazon MSK broker logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon MSK Connect logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon MQ logs	Custom logs	Supported
AWS Network Firewall logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Network Load Balancer access logs	Vended logs		Supported [V1 Permissions]
OpenSearch logs	Custom logs	Supported
Amazon OpenSearch Service ingestion logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
AWS OpsWorks logs	Custom logs	Supported
AWS PCS logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Relational Database ServicePostgreSQL logs	Custom logs	Supported
Amazon Q Business conversation logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS RoboMaker logs	Custom logs	Supported
Amazon Route 53 public DNS query logs	Vended logs	Supported
Amazon Route 53 resolver query logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon SageMaker AI events	Vended logs	Supported [V1 Permissions]
Amazon SageMaker AI worker events	Vended logs	Supported [V1 Permissions]
AWS Site-to_Site VPN logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Simple Email Service logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Simple Notification Service logs	Custom logs	Supported
Amazon Simple Notification Service data protection policy logs	Custom logs	Supported
EC2 Spot Instance data feed files	Vended logs		Supported [V1 Permissions]
AWS Step Functions Express Workflow and Standard Workflow logs	Vended logs	Supported [V1 Permissions]
Storage Gateway audit logs and health logs	Vended logs	Supported [V1 Permissions]
AWS Transfer Family logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
AWS Verified Access logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Virtual Private Cloud flow logs	Vended logs	Supported	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon VPC Lattice access logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon VPC Route Server	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS WAF logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported
Amazon WorkMail audit logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Filter pattern syntax

Logging that requires additional permissions [V1]