Enable logging from Amazon services - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable logging from Amazon services

While many services publish logs only to CloudWatch Logs, some Amazon services can publish logs directly to Amazon Simple Storage Service or Amazon Data Firehose. If your main requirement for logs is storage or processing in one of these services, you can easily have the service that produces the logs send them directly to Amazon S3 or Firehose without additional setup.

Even when logs are published directly to Amazon S3 or Firehose, charges apply. For more information, see Vended Logs on the Logs tab at Amazon CloudWatch Pricing.

Some Amazon services use a common infrastructure to send their logs. To enable logging from these services, you must be logged in as a user that has certain permissions. Additionally, you must grant permissions to Amazon to enable the logs to be sent.

For services that require these permissions, there are two versions of the permissions needed. The services that require these extra permissions are noted as Supported [V1 Permissions] and Supported [V2 Permissions] in the table. For information about these required permissions, see the sections after the table.

Log source Log type Logs sent to CloudWatch Logs Logs sent to Amazon S3 Logs sent to Firehose

Amazon API Gateway access logs

 Vended logs

Supported [V1 Permissions]

Amazon AppSync logs

 Custom logs

Supported

Amazon Aurora MySQL logs

 Custom logs

Supported

Amazon Bedrock Knowledge bases logging

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Bedrock AgentCore

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Chime media quality metric logs and SIP message logs

Vended logs

Supported [V1 Permissions]

CloudFront: access logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon CloudHSM audit logs

 Custom logs

Supported

CloudWatch Evidently evaluation event logs

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

CloudWatch Internet Monitor logs

 Vended logs Supported [V1 Permissions]

CloudTrail logs

 Custom logs

Supported

Amazon CodeBuild logs

 Custom logs

Supported

Amazon CodeWhisperer event logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Cognito logs

 Vended logs Supported [V1 Permissions]

Amazon Connect logs

Custom logs

Supported

Amazon DataSync logs

 Custom logs

Supported

Amazon ElastiCache (Redis OSS) logs

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Elastic Beanstalk logs

 Custom logs

Supported

Amazon Elastic Container Service logs

 Custom logs

Supported

Amazon Elastic Kubernetes Service control plane logs

 Vended logs

Supported

AWS Elemental MediaPackage access logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS Elemental MediaTailor logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]
Amazon Entity Resolution logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon EventBridge Pipes logging

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon EventBridge event buses

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Fargate logs

 Custom logs

Supported

Amazon Fault Injection Service experiment logs

 Vended logs Supported [V1 Permissions]

Amazon FinSpace

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Global Accelerator flow logs

 Vended logs Supported [V1 Permissions]

Amazon Glue job logs

 Custom logs

Supported

IAM Identity Center error logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Interactive Video Service chat logs

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon IoT logs

 Custom logs

Supported

Amazon IoT FleetWise logs

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Lambda logs

 Vended logs

Supported

Supported

Supported

Amazon Macie logs

 Custom logs

Supported
Amazon SES logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Mainframe Modernization

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Managed Service for Prometheus logs

 Vended logs

Supported [V1 Permissions]

Amazon MSK broker logs

 Vended logs

Supported [V1 Permissions]

 Supported [V1 Permissions] Supported [V1 Permissions]

Amazon MSK Connect logs

 Vended logs

Supported [V1 Permissions]

 Supported [V1 Permissions] Supported [V1 Permissions]

Amazon MQ logs

 Custom logs

Supported

Amazon Network Firewall logs

 Vended logs

Supported [V1 Permissions]

 Supported [V1 Permissions] Supported [V1 Permissions]

Network Load Balancer access logs

 Vended logs Supported [V1 Permissions]

OpenSearch logs

 Custom logs

Supported

Amazon OpenSearch Service ingestion logs

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon OpsWorks logs

 Custom logs

Supported
Amazon PCS logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Relational Database ServicePostgreSQL logs

 Custom logs

Supported

Amazon Q Business conversation logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon RoboMaker logs

 Custom logs

Supported

Amazon Route 53 public DNS query logs

 Vended logs

Supported

Amazon Route 53 resolver query logs

 Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon SageMaker AI events

Vended logs

Supported [V1 Permissions]

Amazon SageMaker AI worker events

Vended logs

Supported [V1 Permissions]

Amazon Site-to_Site VPN logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Simple Email Service logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Simple Notification Service logs

 Custom logs

Supported

Amazon Simple Notification Service data protection policy logs

 Custom logs

Supported

EC2 Spot Instance data feed files

Vended logs

Supported [V1 Permissions]

Amazon Step Functions Express Workflow and Standard Workflow logs

Vended logs

Supported [V1 Permissions]

Storage Gateway audit logs and health logs

 Vended logs

Supported [V1 Permissions]

Amazon Transfer Family logs

 Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Verified Access logs

 Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Virtual Private Cloud flow logs

 Vended logs

Supported

 Supported [V1 Permissions] Supported [V1 Permissions]

Amazon VPC Lattice access logs

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]
Amazon VPC Route Server Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon WAF logs

 Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

Supported

Amazon WorkMail audit logs

 Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]