Access logs for Amazon VPC Lattice - Amazon VPC Lattice
IAM permissions required to enable access logsAccess log destinationsEnable access logsAccess log contentsTroubleshoot access logs

Access logs for Amazon VPC Lattice

Access logs capture detailed information about your VPC Lattice services. You can use these access logs to analyze traffic patterns and audit all of the services in the network.

Access logs are optional and are disabled by default. After you enable access logs, you can disable them at any time.

Pricing

Charges apply when access logs are published. Logs that AWS natively publishes on your behalf are called vended logs. For more information about pricing for vended logs, see Amazon CloudWatch Pricing, choose Logs, and view the pricing under Vended Logs.

IAM permissions required to enable access logs

To enable access logs and send the logs to their destinations, you must have the following actions in the policy attached to the IAM user, group, or role that you are using.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Sid": "ManageVPCLatticeAccessLogSetup",
            "Action": [
                "logs:CreateLogDelivery",
                "logs:GetLogDelivery",
                "logs:UpdateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:ListLogDeliveries",
                "vpc-lattice:CreateAccessLogSubscription",
                "vpc-lattice:GetAccessLogSubscription",
                "vpc-lattice:UpdateAccessLogSubscription",
                "vpc-lattice:DeleteAccessLogSubscription",
                "vpc-lattice:ListAccessLogSubscriptions"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

For more information, see Adding and removing IAM identity permissions in the AWS Identity and Access Management User Guide.

After you’ve updated the policy attached to the IAM user, group, or role that you are using, go to Enable access logs.

Access log destinations

You can send access logs to the following destinations.

Amazon CloudWatch Logs

  • VPC Lattice typically delivers logs to CloudWatch Logs within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.

  • A resource policy is created automatically and added to the CloudWatch log group if the log group does not have certain permissions. For more information, see Logs sent to CloudWatch Logs in the Amazon CloudWatch User Guide.

  • You can find access logs that are sent to CloudWatch under Log Groups in the CloudWatch console. For more information, see View log data sent to CloudWatch Logs in the Amazon CloudWatch User Guide.

Amazon S3

  • VPC Lattice typically delivers logs to Amazon S3 within 6 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.

  • A bucket policy will be created automatically and added to your Amazon S3 bucket if the bucket does not have certain permissions. For more information, see Logs sent to Amazon S3 in the Amazon CloudWatch User Guide.

  • Access logs that are sent to Amazon S3 use the following naming convention:

    [bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/AccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz
Amazon Data Firehose

  • VPC Lattice typically delivers logs to Firehose within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.

  • A service-linked role is automatically created that grants VPC Lattice permission to send access logs to Amazon Data Firehose. For automatic role creation to succeed, users must have permission for the iam:CreateServiceLinkedRole action. For more information, see Logs sent to Amazon Data Firehose in the Amazon CloudWatch User Guide.

  • For more information about viewing the logs sent to Amazon Data Firehose, see Monitoring Amazon Kinesis Data Streams in the Amazon Data Firehose Developer Guide.

Enable access logs

Complete the following procedure to configure access logs to capture and deliver access logs to the destination that you choose.

Enable access logs using the console

You can enable access logs for a service network or for a service during creation. You can also enable access logs after you create a service network or service, as described in the following procedure.

To create a basic service using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Select the service network or service.

  3. Choose Actions, Edit log settings.

  4. Turn on the Access logs toggle switch.

  5. Add a delivery destination for your access logs as follows:

    • Select CloudWatch Log group and choose a log group. To create a log group, choose Create a log group in CloudWatch.

    • Select S3 bucket and enter the S3 bucket path, including any prefix. To search your S3 buckets, choose Browse S3.

    • Select Kinesis Data Firehose delivery stream and choose a delivery stream. To create a delivery stream, choose Create a delivery stream in Kinesis.

  6. Choose Save changes.

Enable access logs using the AWS CLI

Use the CLI command create-access-log-subscription to enable access logs for service networks or services.

Access log contents

The following table describes the fields of an access log entry.

Field Description Format
hostHeader

The authority header of the request.

string
sslCipher

The OpenSSL name for the set of ciphers used to establish the client TLS connection.

string
serviceNetworkArn

The service network ARN.

arn:aws:vpc-lattice:region:account:servicenetwork/id
resolvedUser

The ARN of the user when authentication is enabled and authentication is done.

null | ARN | "Anonymous" | "Unknown"
authDeniedReason

The reason that access is denied when authentication is enabled.

null | "Service" | "Network" | "Identity"
requestMethod

The method header of the request.

string
targetGroupArn

The target host group to which the target host belongs.

string
tlsVersion

The TLS version.

TLSvx
userAgent

The user-agent header.

string
ServerNameIndication

[HTTPS only] The value set on ssl connection socket for Server Name Indication (SNI).

string
destinationVpcId

The destination VPC ID.

vpc-xxxxxxxx
sourceIpPort

The IP address and :port of the source.

ip:port
targetIpPort

The IP address and port of the target.

ip:port
serviceArn

The service ARN.

arn:aws:vpc-lattice:region:account:service/id
sourceVpcId

The source VPC ID.

vpc-xxxxxxxx
requestPath

The path of the request.

LatticePath?:path
startTime

The request start time.

YYYY-MM-DDTHH:MM:SSZ
protocol

The protocol. Currently either HTTP/1.1 or HTTP/2.

string
responseCode

The HTTP response code. Only the response code for the final headers are logged. For more information, see Troubleshoot access logs.

integer
bytesReceived

The body and header bytes received.

integer
bytesSent

The body and header bytes sent.

integer
duration

Total duration in milliseconds of the request from the start time to the last byte out.

integer
requestToTargetDuration

Total duration in milliseconds of the request from the start time to the last byte sent to the target.

integer
responseFromTargetDuration

Total duration in milliseconds of the request from the first byte read from the target host to the last byte sent to the client.

integer
grpcResponseCode

The gRPC response code. For more information, see Status codes and their use in gRPC. This field is logged only if the service supports gRPC.

integer
callerPrincipal

The authenticated principal.

string
callerX509SubjectCN

The subject name (CN).

string
callerX509IssuerOU

The issuer (OU).

string
callerX509SANNameCN

The issuer alternative (Name/CN).

string
callerX509SANDNS

The subject alternative name (DNS).

string
callerX509SANURI

The subject alternative name (URI).

string
sourceVpcArn

The ARN of the VPC where the request originated.

arn:aws:ec2:region:account:vpc/id
Example

The following is an example log entry.

{
    "hostHeader": "example.com",
    "sslCipher": "-",
    "serviceNetworkArn": "arn:aws:vpc-lattice:us-west-2:123456789012:servicenetwork/svn-1a2b3c4d",
    "resolvedUser": "Unknown",
    "authDeniedReason": "null",
    "requestMethod": "GET",
    "targetGroupArn": "arn:aws:vpc-lattice:us-west-2:123456789012:targetgroup/tg-1a2b3c4d",
    "tlsVersion": "-",
    "userAgent": "-",
    "serverNameIndication": "-",
    "destinationVpcId": "vpc-0abcdef1234567890",
    "sourceIpPort": "178.0.181.150:80",
    "targetIpPort": "131.31.44.176:80",
    "serviceArn": "arn:aws:vpc-lattice:us-west-2:123456789012:service/svc-1a2b3c4d",
    "sourceVpcId": "vpc-0abcdef1234567890",
    "requestPath": "/billing",
    "startTime": "2023-07-28T20:48:45Z",
    "protocol": "HTTP/1.1",
    "responseCode": 200,
    "bytesReceived": 42,
    "bytesSent": 42,
    "duration": 375,
    "requestToTargetDuration": 1,
    "responseFromTargetDuration": 1,
    "grpcResponseCode": 1
}

Troubleshoot access logs

This section contains an explanation of the HTTP error codes that you may see in access logs.

Error code Possible causes

HTTP 400: Bad Request

  • The client sent a malformed request that doesn't meet the HTTP specification.

  • The request header exceeded 60K for the entire request header or more than 100 headers.

  • The client closed the connection before sending the full request body.

HTTP 403: Forbidden

Authentication has been configured for the service, but the incoming request is not authenticated or authorized.

HTTP 404: Non Existent Service

You're trying to connect to a service that does not exist or is not registered to the right service network.

HTTP 500: Internal Server Error

VPC Lattice has encountered an error, such as failure to connect to targets.

HTTP 502: Bad Gateway

VPC Lattice has encountered an error.