Enable logging from Amazon services

While many services publish logs only to CloudWatch Logs, some Amazon services can publish logs directly to Amazon Simple Storage Service or Amazon Data Firehose. If your main requirement for logs is storage or processing in one of these services, you can easily have the service that produces the logs send them directly to Amazon S3 or Firehose without additional setup.

Even when you publish logs directly to Amazon S3 or Firehose, CloudWatch delivery charges apply. If you send logs to Amazon S3, then AWS_REGION-S3-Egress-Bytes charges appear in Cost Explorer or on your bill. If you send logs to Firehose, then AWS_REGION-FH-Egress-Bytes charges appear. For more information about vended logs pricing, see the Logs tab at Amazon CloudWatch Pricing.

Some Amazon services use a common infrastructure to send their logs. To enable logging from these services, you must be logged in as a user that has certain permissions. Additionally, you must grant permissions to Amazon to enable the logs to be sent.

For services that require these permissions, there are two versions of the permissions needed. The services that require these extra permissions are noted as Supported [V1 Permissions] and Supported [V2 Permissions] in the table. For information about these required permissions, see the sections after the table.

Log source	Log type	Logs sent to CloudWatch Logs	Logs sent to Amazon S3	Logs sent to Firehose	Traces sent to X-Ray
Amazon API Gateway access logs	Vended logs	Supported [V1 Permissions]
Amazon AppSync logs	Custom logs	Supported
Amazon Aurora MySQL logs	Custom logs	Supported
Amazon Bedrock Knowledge bases logging	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Bedrock Agent logging	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Bedrock AgentCore Runtime	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Bedrock AgentCore Gateway	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Bedrock AgentCore Identity	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Bedrock AgentCore Memory	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Bedrock AgentCore Tools	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Chime media quality metric logs and SIP message logs	Vended logs	Supported [V1 Permissions]
CloudFront: access logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon CloudHSM audit logs	Custom logs	Supported
CloudWatch Evidently evaluation event logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]
CloudWatch Internet Monitor logs	Vended logs		Supported [V1 Permissions]
CloudTrail logs	Custom logs	Supported
Amazon CodeBuild logs	Custom logs	Supported
Amazon CodeWhisperer event logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Cognito logs	Vended logs	Supported [V1 Permissions]
Amazon Connect logs	Custom logs	Supported
Amazon DataSync logs	Custom logs	Supported
Amazon DevOps Agent logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon ElastiCache (Redis OSS) logs	Vended logs	Supported [V1 Permissions]		Supported [V1 Permissions]
Amazon Elastic Beanstalk logs	Custom logs	Supported
Amazon Elastic Container Service logs	Custom logs	Supported
Amazon Elastic Kubernetes Service Auto Mode logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Elastic Kubernetes Service control plane logs	Vended logs	Supported
AWS Elemental MediaPackage access logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
AWS Elemental MediaTailor logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Entity Resolution logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon EventBridge Pipes logging	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon EventBridge event buses	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Fargate logs	Custom logs	Supported
Amazon Fault Injection Service experiment logs	Vended logs		Supported [V1 Permissions]
Amazon FinSpace	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Global Accelerator flow logs	Vended logs		Supported [V1 Permissions]
Amazon Glue job logs	Custom logs	Supported
IAM Identity Center error logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Interactive Video Service chat logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon IoT logs	Custom logs	Supported
Amazon IoT FleetWise logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Lambda logs	Vended logs	Supported	Supported	Supported
Amazon Macie logs	Custom logs	Supported
Amazon SES logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Mainframe Modernization	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Managed Service for Prometheus logs	Vended logs	Supported [V1 Permissions]
Amazon MSK broker logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon MSK Connect logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon MQ logs	Custom logs	Supported
Amazon Network Firewall logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Network Firewall Proxy logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Network Load Balancer access logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
OpenSearch logs	Custom logs	Supported
Amazon OpenSearch Service ingestion logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon PCS logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Q Business connector logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Q Business conversation logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Quick chat and feedback logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Relational Database ServicePostgreSQL logs	Custom logs	Supported
Amazon RTB Fabric logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Security Hub CSPM	Vended logs	Supported [V2 Permissions]
Amazon Route 53 public DNS query logs	Vended logs	Supported
Amazon Route 53 resolver query logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon SageMaker AI events	Vended logs	Supported [V1 Permissions]
Amazon SageMaker AI worker events	Vended logs	Supported [V1 Permissions]
Amazon Site-to_Site VPN logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Simple Email Service logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon Simple Notification Service logs	Custom logs	Supported
Amazon Simple Notification Service data protection policy logs	Custom logs	Supported
EC2 Spot Instance data feed files	Vended logs		Supported [V1 Permissions]
Amazon Step Functions Express Workflow and Standard Workflow logs	Vended logs	Supported [V1 Permissions]
Storage Gateway audit logs and health logs	Vended logs	Supported [V1 Permissions]
Amazon Transfer Family logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Verified Access logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon Virtual Private Cloud flow logs	Vended logs	Supported	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon VPC Lattice access logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported [V1 Permissions]
Amazon VPC Route Server	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]
Amazon WAF logs	Vended logs	Supported [V1 Permissions]	Supported [V1 Permissions]	Supported
Amazon WorkMail audit logs	Vended logs	Supported [V2 Permissions]	Supported [V2 Permissions]	Supported [V2 Permissions]

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Filter pattern syntax

Logging that requires additional permissions [V1]