Permissions to enable logging Creating a log group Enabling logging for a stage

Configuring logging for an HTTP API

You can enable logging to write logs to CloudWatch Logs. You can use logging variables to customize the content of your logs.

To enable logging for an HTTP API, you must do the following.

Ensure that your IAM user has the required permissions to enable logging.
Create a CloudWatch Logs log group.
Provide the ARN of the CloudWatch Logs log group for a stage of your API.

Permissions to enable logging

To enable logging for an API, your IAM user must have the following permissions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:us-east-2:123456789012:log-group:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogDelivery",
                "logs:PutResourcePolicy",
                "logs:UpdateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:CreateLogGroup",
                "logs:DescribeResourcePolicies",
                "logs:GetLogDelivery",
                "logs:ListLogDeliveries"
            ],
            "Resource": "*"
        }
    ]
}

Creating a log group

To create a log group by using the AWS Management Console

Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
Choose Log groups.
Choose Create log group.
Enter a log group name, and then choose Create.
Note the Amazon Resource Name (ARN) for your log group. The ARN format is arn:aws:logs:region: account-id:log-group:log-group-name. You need the log group ARN to enable access logging for your HTTP API.

Enabling logging for a stage

To enable logging by using the AWS Management Console

Open the API Gateway console.
Choose an API.
Under Monitor, choose Logging.
Choose the stage for which you want to enable logging.
Choose Edit.
Use the Access logging toggle to enable access logging.
For Log destination, enter the ARN of a CloudWatch Logs log group. The ARN format is arn:aws:logs:region:account-id:log-group:log-group-name.
Enter a log format in Log format. You can choose CLF, JSON, XML, or CSV to use one of the provided examples as a guide.
Choose Save.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Metrics

Logging variables