# Access logs for Amazon VPC Lattice
Access logs capture detailed information about your VPC Lattice services and resource configurations. You can use these access logs to analyze traffic patterns and audit all of the services in the network. For VPC Lattice services, we publish `VpcLatticeAccessLogs` and for resource configurations, we publish `VpcLatticeResourceAccessLogs` which needs to be configured separately.
Access logs are optional and are disabled by default. After you enable access logs, you can disable them at any time.
**Pricing**
Charges apply when access logs are published. Logs that AWS natively publishes on your behalf are called *vended logs*. For more information about pricing for vended logs, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/), choose **Logs**, and view the pricing under **Vended Logs**.
**Topics**
+ [IAM permissions required to enable access logs](#monitoring-access-logs-IAM)
+ [Access log destinations](#monitoring-access-logs-destinations)
+ [Enable access logs](#monitoring-access-logs-enable)
+ [Request tracking](#x-amzn-RequestId-enable)
+ [Access log contents](#monitoring-access-logs-contents)
+ [Resource access log contents](#monitoring-resource-access-logs-contents)
+ [Troubleshoot access logs](#monitoring-access-logs-troubleshoot)
## IAM permissions required to enable access logs
To enable access logs and send the logs to their destinations, you must have the following actions in the policy attached to the IAM user, group, or role that you are using.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Sid": "ManageVPCLatticeAccessLogSetup",
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"vpc-lattice:CreateAccessLogSubscription",
"vpc-lattice:GetAccessLogSubscription",
"vpc-lattice:UpdateAccessLogSubscription",
"vpc-lattice:DeleteAccessLogSubscription",
"vpc-lattice:ListAccessLogSubscriptions"
],
"Resource": [
"*"
]
}
]
}
```
------
For more information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *AWS Identity and Access Management User Guide*.
After you’ve updated the policy attached to the IAM user, group, or role that you are using, go to [Enable access logs](#monitoring-access-logs-enable).
## Access log destinations
You can send access logs to the following destinations.
**Amazon CloudWatch Logs**
+ VPC Lattice typically delivers logs to CloudWatch Logs within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
+ A resource policy is created automatically and added to the CloudWatch log group if the log group does not have certain permissions. For more information, see [Logs sent to CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL) in the *Amazon CloudWatch User Guide*.
+ You can find access logs that are sent to CloudWatch under Log Groups in the CloudWatch console. For more information, see [View log data sent to CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#ViewingLogData) in the *Amazon CloudWatch User Guide*.
**Amazon S3**
+ VPC Lattice typically delivers logs to Amazon S3 within 6 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
+ A bucket policy will be created automatically and added to your Amazon S3 bucket if the bucket does not have certain permissions. For more information, see [Logs sent to Amazon S3 ](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3) in the *Amazon CloudWatch User Guide*.
+ Access logs that are sent to Amazon S3 use the following naming convention:
```
[bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/AccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz
```
+ VpcLatticeResourceAccessLogs that are sent to Amazon S3 use the following naming convention:
```
[bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/ResourceAccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeResourceAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz
```
**Amazon Data Firehose**
+ VPC Lattice typically delivers logs to Firehose within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
+ A service-linked role is automatically created that grants VPC Lattice permission to send access logs to Amazon Data Firehose. For automatic role creation to succeed, users must have permission for the `iam:CreateServiceLinkedRole` action. For more information, see [Logs sent to Amazon Data Firehose](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-Firehose) in the *Amazon CloudWatch User Guide*.
+ For more information about viewing the logs sent to Amazon Data Firehose, see [Monitoring Amazon Kinesis Data Streams](https://docs.aws.amazon.com//streams/latest/dev/monitoring.html) in the *Amazon Data Firehose Developer Guide*.
## Enable access logs
Complete the following procedure to configure access logs to capture and deliver access logs to the destination that you choose.
**Topics**
+ [Enable access logs using the console](#monitoring-access-logs-console)
+ [Enable access logs using the AWS CLI](#monitoring-access-logs-cli)
### Enable access logs using the console
You can enable access logs for a service network, a service, or a resource configuration during creation. You can also enable access logs after you create a service network, service, or resource configuration as described in the following procedure.
**To create a basic service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the service network, service, or resource configuration.
1. Choose **Actions**, **Edit log settings**.
1. Turn on the **Access logs** toggle switch.
1. Add a delivery destination for your access logs as follows:
+ Select **CloudWatch Log group** and choose a log group. To create a log group, choose **Create a log group in CloudWatch**.
+ Select **S3 bucket** and enter the S3 bucket path, including any prefix. To search your S3 buckets, choose **Browse S3**.
+ Select **Kinesis Data Firehose delivery stream** and choose a delivery stream. To create a delivery stream, choose **Create a delivery stream in Kinesis**.
1. Choose **Save changes**.
### Enable access logs using the AWS CLI
Use the CLI command [create-access-log-subscription](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-access-log-subscription.html) to enable access logs for service networks or services.
## Request tracking
VPC Lattice supports request tracking and correlation across clients, targets, and logs for observability and debugging with the x-amzn-requestid header. This header can be set and sent by the client or generated by VPC Lattice and is sent to targets and also available in access logs.
**Default behavior**
+ VPC Lattice automatically generates this header for every request.
+ The value is a randomly generated identifier (UUID-style by default).
+ The generated identifier is:
+ Propagated to downstream targets.
+ Returned in response headers to clients.
+ Logged in access logs
**Example (default response)**
The following is an example of a response sent to client with the default behavior of VPC Lattice generating a random value for the valu eof x-amzn-requestid header.
```
{
"HTTP/1.1 200 OK
x-amzn-requestid: a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001"
}
```
**Client setting the value**
+ Clients can optionally set this header on incoming requests to override the automatically generated value.
+ Considerations
+ The header value does not need to follow a UUID format.
+ If the header value exceeds 512 bytes, VPC Lattice will truncate it to 512.
+ When overridden successfully, the provided header value will:
+ Appear in response headers
+ Be propagated to targets
+ Appear in access logs and metrics
**Example (override client reqeust)**
The following is an example of a reqeust sent by the client with a header value.
```
{
"GET /my-service/endpoint HTTP/1.1
Host: my-api.example.com
x-amzn-requestid: trace-request-foobar"
}
```
**Example (default override response)**
The following is an example of a response sent to client with the overridden value.
```
{
"HTTP/1.1 200 OK
x-amzn-requestid: trace-request-foobar"
}
```
## Access log contents
The following table describes the fields of an access log entry.
| Field | Description | Format |
| --- | --- | --- |
| callerPrincipalTags | The PrincipalTags in the request. | JSON |
| hostHeader | The authority header of the request. | string |
| sslCipher | The OpenSSL name for the set of ciphers used to establish the client TLS connection. | string |
| serviceNetworkArn | The service network ARN. | arn:aws:vpc-lattice:*region*:*account*:servicenetwork/*id* |
| resolvedUser | The ARN of the user when authentication is enabled and authentication is done. | null \$1 ARN \$1 "Anonymous" \$1 "Unknown" |
| authDeniedReason | The reason that access is denied when authentication is enabled. | null \$1 "Service" \$1 "Network" \$1 "Identity" |
| requestMethod | The method header of the request. | string |
| targetGroupArn | The target host group to which the target host belongs. | string |
| tlsVersion | The TLS version. | TLSv*x* |
| userAgent | The user-agent header. | string |
| serverNameIndication | [HTTPS only] The value set on ssl connection socket for Server Name Indication (SNI). | string |
| destinationVpcId | The destination VPC ID. | vpc-*xxxxxxxx* |
| sourceIpPort | The IP address and :port of the source. | *ip*:*port* |
| targetIpPort | The IP address and port of the target. | *ip*:*port* |
| serviceArn | The service ARN. | arn:aws:vpc-lattice:*region*:*account*:service/*id* |
| sourceVpcId | The source VPC ID. | vpc-*xxxxxxxx* |
| requestPath | The path of the request. | LatticePath?:*path* |
| startTime | The request start time. | *YYYY*-*MM*-*DD*T*HH*:*MM*:*SS*Z |
| protocol | The protocol. Currently either HTTP/1.1 or HTTP/2. | string |
| responseCode | The HTTP response code. Only the response code for the final headers are logged. For more information, see [Troubleshoot access logs](#monitoring-access-logs-troubleshoot). | integer |
| bytesReceived | The body and header bytes received. | integer |
| bytesSent | The body and header bytes sent. | integer |
| duration | Total duration in milliseconds of the request from the start time to the last byte out. | integer |
| requestToTargetDuration | Total duration in milliseconds of the request from the start time to the last byte sent to the target. | integer |
| responseFromTargetDuration | Total duration in milliseconds of the request from the first byte read from the target host to the last byte sent to the client. | integer |
| grpcResponseCode | The gRPC response code. For more information, see [Status codes and their use in gRPC](https://grpc.github.io/grpc/core/md_doc_statuscodes.html). This field is logged only if the service supports gRPC. | integer |
| requestId | This a unique identifier automatically included in responses as the value of the x-amzn-requestid header. It enables request correlation across clients, targets, and logs for observability and debugging. | string |
| callerPrincipal | The authenticated principal. | string |
| callerX509SubjectCN | The subject name (CN). | string |
| callerX509IssuerOU | The issuer (OU). | string |
| callerX509SANNameCN | The issuer alternative (Name/CN). | string |
| callerX509SANDNS | The subject alternative name (DNS). | string |
| callerX509SANURI | The subject alternative name (URI). | string |
| sourceVpcArn | The ARN of the VPC where the request originated. | arn:aws:ec2:*region*:*account*:vpc/*id* |
| failureReason | Indicates the reason a request failed. The possible values are the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-access-logs.html) | string |
**Example**
The following is an example log entry.
```
{
"callerPrincipalTags" : "{ "TagA": "ValA", "TagB": "ValB", ... }",
"hostHeader": "example.com",
"sslCipher": "-",
"serviceNetworkArn": "arn:aws:vpc-lattice:us-west-2:123456789012:servicenetwork/svn-1a2b3c4d",
"resolvedUser": "Unknown",
"authDeniedReason": "null",
"requestMethod": "GET",
"targetGroupArn": "arn:aws:vpc-lattice:us-west-2:123456789012:targetgroup/tg-1a2b3c4d",
"tlsVersion": "-",
"userAgent": "-",
"serverNameIndication": "-",
"destinationVpcId": "vpc-0abcdef1234567890",
"sourceIpPort": "178.0.181.150:80",
"targetIpPort": "131.31.44.176:80",
"serviceArn": "arn:aws:vpc-lattice:us-west-2:123456789012:service/svc-1a2b3c4d",
"sourceVpcId": "vpc-0abcdef1234567890",
"requestPath": "/billing",
"startTime": "2023-07-28T20:48:45Z",
"protocol": "HTTP/1.1",
"responseCode": 200,
"bytesReceived": 42,
"bytesSent": 42,
"duration": 375,
"requestToTargetDuration": 1,
"responseFromTargetDuration": 1,
"grpcResponseCode": 1,
"requestId": "a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001"
}
```
## Resource access log contents
The following table describes the fields of a resource access log entry.
| Field | Description | Format |
| --- | --- | --- |
| serviceNetworkArn | The service network ARN. | arn:*partition*vpc-lattice:*region*:*account*:servicenetwork/*id* |
| serviceNetworkResourceAssociationId | The service network resource ID. | *snra*-*xxx* |
| vpcEndpointId | The endpoint ID that was used to access the resource. | string |
| sourceVpcArn | The source VPC ARN or the VPC from where connection was initiated. | string |
| resourceConfigurationArn | The ARN of the resource configuration that was accessed. | string |
| protocol | The protocol used to communicate to the resource configuration. Currently only tcp is supported. | string |
| sourceIpPort | The IP address and port of the source which initiated the connection. | *ip*:*port* |
| destinationIpPort | The IP address and port against which the connection was initiated. This will be the IP of SN-E/SN-A. | *ip*:*port* |
| gatewayIpPort | The IP address and port used by the resource gateway to access the resource. | *ip*:*port* |
| resourceIpPort | The IP address and port of the resource. | *ip*:*port* |
**Example**
The following is an example log entry.
```
{
"eventTimestamp": "2024-12-02T10:10:10.123Z",
"serviceNetworkArn": "arn:aws:vpc-lattice:us-west-2:1234567890:servicenetwork/sn-1a2b3c4d",
"serviceNetworkResourceAssociationId": "snra-1a2b3c4d",
"vpcEndpointId": "vpce-01a2b3c4d",
"sourceVpcArn": "arn:aws:ec2:us-west-2:1234567890:vpc/vpc-01a2b3c4d",
"resourceConfigurationArn": "arn:aws:vpc-lattice:us-west-2:0987654321:resourceconfiguration/rcfg-01a2b3c4d",
"protocol": "tcp",
"sourceIpPort": "172.31.23.56:44076",
"destinationIpPort": "172.31.31.226:80",
"gatewayIpPort": "10.0.28.57:49288",
"resourceIpPort": "10.0.18.190:80"
}
```
## Troubleshoot access logs
This section contains an explanation of the HTTP error codes that you may see in access logs.
| Error code | Possible causes |
| --- | --- |
| HTTP 400: Bad Request | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-access-logs.html) |
| HTTP 403: Forbidden | Authentication has been configured for the service, but the incoming request is not authenticated or authorized. |
| HTTP 404: Non Existent Service | You're trying to connect to a service that does not exist or is not registered to the right service network. |
| HTTP 500: Internal Server Error | VPC Lattice has encountered an error, such as failure to connect to targets. |
| HTTP 502: Bad Gateway | VPC Lattice has encountered an error. |