Enable logging from Amazon services - Amazon CloudWatch Logs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Enable logging from Amazon services

While many services publish logs only to CloudWatch Logs, some Amazon services can publish logs directly to Amazon Simple Storage Service or Amazon Data Firehose. If your main requirement for logs is storage or processing in one of these services, you can easily have the service that produces the logs send them directly to Amazon S3 or Firehose without additional setup.

Even when logs are published directly to Amazon S3 or Firehose, charges apply. For more information, see Vended Logs on the Logs tab at Amazon CloudWatch Pricing.

Some Amazon services use a common infrastructure to send their logs. To enable logging from these services, you must be logged in as a user that has certain permissions. Additionally, you must grant permissions to Amazon to enable the logs to be sent.

For services that require these permissions, there are two versions of the permissions needed. The services that require these extra permissions are noted as Supported [V1 Permissions] and Supported [V2 Permissions] in the table. For information about these required permissions, see the sections after the table.

Log source Log type Logs sent to CloudWatch Logs Logs sent to Amazon S3 Logs sent to Firehose

Amazon API Gateway access logs

Vended logs

Supported [V1 Permissions]

Amazon AppSync logs

Custom logs

Supported

Amazon Aurora MySQL logs

Custom logs

Supported

Amazon Bedrock Knowledge bases logging

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Bedrock AgentCore

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Chime media quality metric logs and SIP message logs

Vended logs

Supported [V1 Permissions]

CloudFront: access logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon CloudHSM audit logs

Custom logs

Supported

CloudWatch Evidently evaluation event logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

CloudWatch Internet Monitor logs

Vended logs Supported [V1 Permissions]

CloudTrail logs

Custom logs

Supported

Amazon CodeBuild logs

Custom logs

Supported

Amazon CodeWhisperer event logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Cognito logs

Vended logs Supported [V1 Permissions]

Amazon Connect logs

Custom logs

Supported

Amazon DataSync logs

Custom logs

Supported

Amazon ElastiCache (Redis OSS) logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Elastic Beanstalk logs

Custom logs

Supported

Amazon Elastic Container Service logs

Custom logs

Supported

Amazon Elastic Kubernetes Service control plane logs

Vended logs

Supported

AWS Elemental MediaPackage access logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

AWS Elemental MediaTailor logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]
Amazon Entity Resolution logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon EventBridge Pipes logging

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon EventBridge event buses

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Fargate logs

Custom logs

Supported

Amazon Fault Injection Service experiment logs

Vended logs Supported [V1 Permissions]

Amazon FinSpace

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Global Accelerator flow logs

Vended logs Supported [V1 Permissions]

Amazon Glue job logs

Custom logs

Supported

IAM Identity Center error logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Interactive Video Service chat logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon IoT logs

Custom logs

Supported

Amazon IoT FleetWise logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Lambda logs

Vended logs

Supported

Supported

Supported

Amazon Macie logs

Custom logs

Supported

Amazon SES logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Mainframe Modernization

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon Managed Service for Prometheus logs

Vended logs

Supported [V1 Permissions]

Amazon MSK broker logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions] Supported [V1 Permissions]

Amazon MSK Connect logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions] Supported [V1 Permissions]

Amazon MQ logs

Custom logs

Supported

Amazon Network Firewall logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions] Supported [V1 Permissions]

Network Load Balancer access logs

Vended logs Supported [V1 Permissions]

OpenSearch logs

Custom logs

Supported

Amazon OpenSearch Service ingestion logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]

Amazon OpsWorks logs

Custom logs

Supported

Amazon PCS logs Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Relational Database ServicePostgreSQL logs

Custom logs

Supported

Amazon Q Business conversation logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon RoboMaker logs

Custom logs

Supported

Amazon Route 53 public DNS query logs

Vended logs

Supported

Amazon Route 53 resolver query logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon SageMaker AI events

Vended logs

Supported [V1 Permissions]

Amazon SageMaker AI worker events

Vended logs

Supported [V1 Permissions]

Amazon Site-to_Site VPN logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Simple Email Service logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon Simple Notification Service logs

Custom logs

Supported

Amazon Simple Notification Service data protection policy logs

Custom logs

Supported

EC2 Spot Instance data feed files

Vended logs

Supported [V1 Permissions]

Amazon Step Functions Express Workflow and Standard Workflow logs

Vended logs

Supported [V1 Permissions]

Storage Gateway audit logs and health logs

Vended logs

Supported [V1 Permissions]

Amazon Transfer Family logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Verified Access logs

Vended logs

Supported [V1 Permissions]

Supported [V1 Permissions]

Supported [V1 Permissions]

Amazon Virtual Private Cloud flow logs

Vended logs

Supported

Supported [V1 Permissions] Supported [V1 Permissions]

Amazon VPC Lattice access logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions] Supported [V1 Permissions]
Amazon VPC Route Server Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]

Amazon WAF logs

Vended logs Supported [V1 Permissions] Supported [V1 Permissions]

Supported

Amazon WorkMail audit logs

Vended logs Supported [V2 Permissions] Supported [V2 Permissions] Supported [V2 Permissions]