Logging permissions

The IAM principal being used to configure the logging destination will need to have certain permissions for logging to work properly. Below you can see the permissions required for each logging destination.

For delivery to CloudWatch Logs:

ec2:ModifyVerifiedAccessInstanceLoggingConfiguration on the Verified Access instance
logs:CreateLogDelivery, logs:DeleteLogDelivery, logs:GetLogDelivery, logs:ListLogDeliveries, and logs:UpdateLogDelivery on all resources
logs:DescribeLogGroups, logs:DescribeResourcePolicies, and logs:PutResourcePolicy on the destination log group

For delivery to Amazon S3:

ec2:ModifyVerifiedAccessInstanceLoggingConfiguration on the Verified Access instance
logs:CreateLogDelivery, logs:DeleteLogDelivery, logs:GetLogDelivery, logs:ListLogDeliveries, and logs:UpdateLogDelivery on all resources
s3:GetBucketPolicy and s3:PutBucketPolicy on the destination bucket

For delivery to Firehose:

ec2:ModifyVerifiedAccessInstanceLoggingConfiguration on the Verified Access instance
firehose:TagDeliveryStream on all resources
iam:CreateServiceLinkedRole on all resources
logs:CreateLogDelivery, logs:DeleteLogDelivery, logs:GetLogDelivery, logs:ListLogDeliveries, and logs:UpdateLogDelivery on all resources

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Logging versions

Enable or disable logs