Logs sent to Firehose

This section applies when the types of logs listed in the table in the preceding section are sent to Firehose:

User permissions

To be able to set up sending any of these types of logs to Firehose for the first time, you must be logged into an account with the following permissions.

logs:CreateLogDelivery
firehose:TagDeliveryStream
iam:CreateServiceLinkedRole

If any of these types of logs is already being sent to Firehose, then to set up the sending of another one of these types of logs to Firehose you need to have only the logs:CreateLogDelivery and firehose:TagDeliveryStream permissions.

IAM roles used for permissions

Because Firehose does not use resource policies, Amazon uses IAM roles when setting up these logs to be sent to Firehose. Amazon creates a service-linked role named AWSServiceRoleForLogDelivery. This service-linked role includes the following permissions.

This service-linked role grants permission for all Firehose delivery streams that have the LogDeliveryEnabled tag set to true. Amazon gives this tag to the destination delivery stream when you set up the logging.

This service-linked role also has a trust policy that allows the delivery.logs.amazonaws.com service principal to assume the needed service-linked role. That trust policy is as follows:

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Logs sent to Amazon S3

Logging that requires additional permissions [V2]