Enable logging from AWS services
While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to Amazon Simple Storage Service or Amazon Data Firehose. If your main requirement for logs is storage or processing in one of these services, you can easily have the service that produces the logs send them directly to Amazon S3 or Firehose without additional setup.
Even when you publish logs directly to Amazon S3 or Firehose, CloudWatch delivery charges
apply. If you send logs to Amazon S3, then
AWS_REGION-S3-Egress-BytesAWS_REGION-FH-Egress-Bytes
Some AWS services use a common infrastructure to send their logs. To enable logging from these services, you must be logged in as a user that has certain permissions. Additionally, you must grant permissions to AWS to enable the logs to be sent.
For services that require these permissions, there are two versions of the permissions needed. The services that require these extra permissions are noted as Supported [V1 Permissions] and Supported [V2 Permissions] in the table. For information about these required permissions, see the sections after the table.
Amazon API Gateway
AWS AppSync
Amazon Aurora MySQL
Amazon Bedrock Knowledge Bases- Amazon Bedrock Agents
Amazon Bedrock AgentCore Runtime- Amazon Bedrock AgentCore Gateway
- Amazon Bedrock AgentCore Identity
- Amazon Bedrock AgentCore Memory
- Amazon Bedrock AgentCore Tools
Amazon Chime
Amazon CloudFront
AWS CloudHSM
CloudWatch Evidently- CloudWatch Internet Monitor
AWS CloudTrail
AWS CodeBuild
Amazon CodeWhisperer
Amazon Cognito
Amazon Connect
AWS DataSync
AWS DevOps Agent
Amazon ElastiCache (Redis OSS)
AWS Elastic Beanstalk
Amazon ECS
Amazon EKS Auto Mode- Amazon EKS Control Plane
AWS Elemental MediaPackage
AWS Elemental MediaTailor
AWS Entity Resolution
Amazon EventBridge Pipes- Amazon EventBridge Event Buses
AWS Fargate
AWS Fault Injection Service
Amazon FinSpace
AWS Global Accelerator
AWS Glue
IAM Identity Center
Amazon IVS Chat
AWS IoT
AWS IoT FleetWise
AWS Lambda
Amazon Macie
Amazon SES
AWS Mainframe Modernization
Amazon Managed Service for Prometheus
Amazon MSK
Amazon MSK Connect
Amazon MQ
AWS Network Firewall- AWS Network Firewall Proxy
Network Load Balancer
Amazon OpenSearch Service
Amazon OpenSearch Ingestion
AWS PCS
Amazon Q Business Connectors- Amazon Q Business Conversations
Amazon Quick Chat and Feedback
Amazon RDS PostgreSQL
AWS RTB Fabric
AWS Security Hub CSPM- AWS Security Hub
Amazon Route 53 Public DNS- Amazon Route 53 Resolver
Amazon SageMaker AI Events- Amazon SageMaker AI Worker Events
AWS Site-to-Site VPN- Amazon SES
Amazon SNS- Amazon SNS Data Protection
EC2 Spot Instance
AWS Step Functions
AWS Storage Gateway
AWS Transfer Family
AWS Verified Access
Amazon VPC Flow Logs
Amazon VPC Lattice
Amazon VPC Route Server
AWS WAF
Amazon WorkMail
