# Enable logging from AWS services
While many services publish logs only to CloudWatch Logs, some AWS services can publish logs directly to Amazon Simple Storage Service or Amazon Data Firehose. If your main requirement for logs is storage or processing in one of these services, you can easily have the service that produces the logs send them directly to Amazon S3 or Firehose without additional setup.
Even when you publish logs directly to Amazon S3 or Firehose, CloudWatch delivery charges apply. If you send logs to Amazon S3, then `AWS_REGION-S3-Egress-Bytes` charges appear in Cost Explorer or on your bill. If you send logs to Firehose, then `AWS_REGION-FH-Egress-Bytes` charges appear. For more information about vended logs pricing, see the **Logs** tab at [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/).
Some AWS services use a common infrastructure to send their logs. To enable logging from these services, you must be logged in as a user that has certain permissions. Additionally, you must grant permissions to AWS to enable the logs to be sent.
For services that require these permissions, there are two versions of the permissions needed. The services that require these extra permissions are noted as **Supported [V1 Permissions]** and **Supported [V2 Permissions]** in the table. For information about these required permissions, see the sections after the table.
| Log source | Log type | [Logs sent to CloudWatch Logs](AWS-logs-infrastructure-CWL.md) | [Logs sent to Amazon S3](AWS-logs-infrastructure-S3.md) | [Logs sent to Firehose](AWS-logs-infrastructure-Firehose.md) | [Traces sent to X-Ray](AWS-logs-infrastructure-V2-XRayTraces.md) |
| --- | --- | --- | --- | --- | --- |
| [ Amazon API Gateway access logs](https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [AWS AppSync logs](https://docs.aws.amazon.com/appsync/latest/devguide/monitoring.html) | Custom logs | Supported | | | |
| [ Amazon Aurora MySQL logs](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.CloudWatch.html) | Custom logs | Supported | | | |
| [Amazon Bedrock Knowledge bases logging](https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-bases-logging.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [Amazon Bedrock Agent logging](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [Amazon Bedrock AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agents-tools-runtime.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) |
| [Amazon Bedrock AgentCore Gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) |
| [Amazon Bedrock AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) |
| [Amazon Bedrock AgentCore Memory](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/memory.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) |
| [Amazon Bedrock AgentCore Tools](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/built-in-tools.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) |
| [ Amazon Chime media quality metric logs and SIP message logs](https://docs.aws.amazon.com/chime/latest/ag/monitoring-cloudwatch.html#cw-logs) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [ CloudFront: access logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [AWS CloudHSM audit logs](https://docs.aws.amazon.com/cloudhsm/latest/userguide/get-hsm-audit-logs-using-cloudwatch.html) | Custom logs | Supported | | | |
| [ CloudWatch Evidently evaluation event logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Evidently-datastorage.html#CloudWatch-Evidently-datastorage-logformat) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | |
| [ CloudWatch Internet Monitor logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-IM-view-cw-tools.S3_athena.html) | Vended logs | | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | |
| [ CloudTrail logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/monitor-cloudtrail-log-files-with-cloudwatch-logs.html) | Custom logs | Supported | | | |
| [AWS CodeBuild logs](https://docs.aws.amazon.com/codebuild/latest/userguide/getting-started-build-log-console.html) | Custom logs | Supported | | | |
| [Amazon CodeWhisperer event logs](https://docs.aws.amazon.com/eventbridge/latest/ref/events-ref-codewhisperer.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [Amazon Cognito logs](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [Amazon Connect logs](https://docs.aws.amazon.com/connect/latest/adminguide/logging-and-monitoring.html) | Custom logs | Supported | | | |
| [AWS DataSync logs](https://docs.aws.amazon.com/datasync/latest/userguide/monitor-datasync.html#cloudwatchlogs) | Custom logs | Supported | | | |
| [AWS DevOps Agent logs](https://docs.aws.amazon.com/devopsagent/latest/userguide/configuring-capabilities-for-aws-devops-agent-vended-logs-and-metrics.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon ElastiCache (Redis OSS) logs](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Log_Delivery.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [AWS Elastic Beanstalk logs](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.cloudwatchlogs.html) | Custom logs | Supported | | | |
| [ Amazon Elastic Container Service logs](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_cloudwatch_logs.html) | Custom logs | Supported | | | |
| [ Amazon Elastic Kubernetes Service Auto Mode logs](https://docs.aws.amazon.com/eks/latest/userguide/auto-managed-component-logs.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon Elastic Kubernetes Service control plane logs](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html) | Vended logs | Supported | | | |
| [AWS Elemental MediaPackage access logs](https://docs.aws.amazon.com/mediapackage/latest/ug/access-logging.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [AWS Elemental MediaTailor logs](https://docs.aws.amazon.com/mediatailor/latest/ug/monitoring-cw-logs.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [AWS Entity Resolution logs](https://docs.aws.amazon.com/entityresolution/latest/userguide/what-is-service.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [Amazon EventBridge Pipes logging](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes-logs.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [Amazon EventBridge event buses](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes-logs.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [AWS Fargate logs](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_awslogs.html) | Custom logs | Supported | | | |
| [AWS Fault Injection Service experiment logs](https://docs.aws.amazon.com/fis/latest/userguide/monitoring-logging.html) | Vended logs | | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | |
| [Amazon FinSpace](https://docs.aws.amazon.com/finspace/latest/userguide/finspace-what-is.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [AWS Global Accelerator flow logs](https://docs.aws.amazon.com/global-accelerator/latest/dg/monitoring-global-accelerator.flow-logs.html) | Vended logs | | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | |
| [AWS Glue job logs](https://docs.aws.amazon.com/glue/latest/dg/monitor-continuous-logging.html) | Custom logs | Supported | | | |
| [ IAM Identity Center error logs](https://docs.aws.amazon.com/singlesignon/latest/userguide/logging-ad-sync-errors.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon Interactive Video Service chat logs](https://docs.aws.amazon.com/ivs/latest/LowLatencyUserGuide/chat-logging.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [AWS IoT logs](https://docs.aws.amazon.com/iot/latest/developerguide/cloud-watch-logs.html) | Custom logs | Supported | | | |
| [AWS IoT FleetWise logs](https://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/logging-cw.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [AWS Lambda logs](https://docs.aws.amazon.com/lambda/latest/dg/monitoring-cloudwatchlogs.html) | Vended logs | Supported | Supported | Supported | |
| [ Amazon Macie logs](https://docs.aws.amazon.com/macie/latest/user/discovery-jobs-monitor-cw-logs.html) | Custom logs | Supported | | | |
| [ Amazon SES logs](https://docs.aws.amazon.com/ses/latest/dg/eb-logging.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [AWS Mainframe Modernization](https://docs.aws.amazon.com/m2/latest/userguide/what-is-m2.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [ Amazon Managed Service for Prometheus logs](https://docs.aws.amazon.com/prometheus/latest/userguide/CW-logs.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [ Amazon MSK broker logs](https://docs.aws.amazon.com/msk/latest/developerguide/msk-logging.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [ Amazon MSK Connect logs](https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-logging.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [ Amazon MQ logs](https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html) | Custom logs | Supported | | | |
| [AWS Network Firewall logs](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [AWS Network Firewall Proxy logs](https://docs.aws.amazon.com/network-firewall/latest/developerguide/proxy-logging-and-monitoring.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Network Load Balancer access logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ OpenSearch logs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/createdomain-configure-slow-logs.html) | Custom logs | Supported | | | |
| [ Amazon OpenSearch Service ingestion logs](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/monitoring-pipeline-logs.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [AWS PCS](https://docs.aws.amazon.com/pcs/latest/userguide/monitoring-overview.html) logs | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon Q Business connector logs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/connectors-list.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon Q Business conversation logs](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/cw-logs-enable-logging.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon Quick chat and feedback logs](https://docs.aws.amazon.com/quicksuite/latest/userguide/monitoring-quicksuite-chat-feedback-cloudwatch.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon Relational Database ServicePostgreSQL logs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.PostgreSQL.html#USER_LogAccess.PostgreSQL.PublishtoCloudWatchLogs) | Custom logs | Supported | | | |
| [AWS RTB Fabric](https://docs.aws.amazon.com/rtb-fabric/latest/userguide/what-is-rtb-fabric.html) logs | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | | | |
| [ Amazon Route 53 public DNS query logs](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-monitoring.html) | Vended logs | Supported | | | |
| [ Amazon Route 53 resolver query logs](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs-choosing-target-resource.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | |
| [ Amazon SageMaker AI events](https://docs.aws.amazon.com/sagemaker/latest/dg/logging-cloudwatch.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [ Amazon SageMaker AI worker events](https://docs.aws.amazon.com/sagemaker/latest/dg/workteam-private-tracking.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [AWS Site-to\$1Site VPN logs](https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [Amazon Simple Email Service logs](https://docs.aws.amazon.com/ses/latest/dg/eb-logging.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [ Amazon Simple Notification Service logs](https://docs.aws.amazon.com/sns/latest/dg/sms_stats_cloudwatch.html#sns-viewing-cloudwatch-logs) | Custom logs | Supported | | | |
| [ Amazon Simple Notification Service data protection policy logs](https://docs.aws.amazon.com/sns/latest/dg/sns-message-data-protection-operations.html) | Custom logs | Supported | | | |
| [ EC2 Spot Instance data feed files](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-data-feeds.html) | Vended logs | | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | |
| [AWS Step Functions Express Workflow and Standard Workflow logs](https://docs.aws.amazon.com/step-functions/latest/dg/cw-logs.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [ Storage Gateway audit logs and health logs](https://docs.aws.amazon.com/storagegateway/latest/userguide/monitoring-file-gateway.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | | | |
| [AWS Transfer Family logs](https://docs.aws.amazon.com/transfer/latest/userguide/structured-logging.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [AWS Verified Access logs](https://docs.aws.amazon.com/verified-access/latest/ug/access-logs.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [ Amazon Virtual Private Cloud flow logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html) | Vended logs | Supported | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [Amazon VPC Lattice access logs](https://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-access-logs.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | |
| [Amazon VPC Route Server](https://docs.aws.amazon.com/vpc/latest/userguide/dynamic-routing-route-server.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
| [AWS WAF logs](https://docs.aws.amazon.com/waf/latest/developerguide/logging-destinations.html) | Vended logs | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | [Supported [V1 Permissions]](AWS-vended-logs-permissions.md) | Supported | |
| [Amazon WorkMail audit logs](https://docs.aws.amazon.com/workmail/latest/adminguide/monitoring-audit-logging.html) | Vended logs | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | [Supported [V2 Permissions]](AWS-vended-logs-permissions-V2.md) | |
# Logging that requires additional permissions [V1]
Some AWS services use a common infrastructure to send their logs to CloudWatch Logs, Amazon S3, or Firehose. To enable the AWS services listed in the preceding table to send their logs to these destinations, you must be logged in as a user that has certain permissions.
Additionally, permissions must be granted to AWS to enable the logs to be sent. AWS can automatically create those permissions when the logs are set up, or you can create them yourself first before you set up the logging. For cross-account delivery, you must manually create the permission policies yourself.
If you choose to have AWS automatically set up the necessary permissions and resource policies when you or someone in your organization first sets up the sending of logs, then the user who is setting up the sending of logs must have certain permissions, as explained later in this section. Alternatively, you can create the resource policies yourself, and then the users who set up the sending of logs do not need as many permissions.
The following topics provide more details for each of these destinations.
**Topics**
+ [Logs sent to CloudWatch Logs](AWS-logs-infrastructure-CWL.md)
+ [Logs sent to Amazon S3](AWS-logs-infrastructure-S3.md)
+ [Logs sent to Firehose](AWS-logs-infrastructure-Firehose.md)
# Logs sent to CloudWatch Logs
**Important**
When you set up the log types in the following list to be sent to CloudWatch Logs, AWS creates or changes the resource policies associated with the log group receiving the logs, if needed. Continue reading this section to see the details.
This section applies when the types of logs listed in the table in the preceding section are sent to CloudWatch Logs:
**User permissions**
To be able to set up sending any of these types of logs to CloudWatch Logs for the first time, you must be logged into an account with the following permissions.
+ `logs:CreateLogDelivery`
+ `logs:PutResourcePolicy`
+ `logs:DescribeResourcePolicies`
+ `logs:DescribeLogGroups`
**Note**
When you specify the `logs:DescribeLogGroups`, `logs:DescribeResourcePolicies`, or `logs:PutResourcePolicy` permission, be sure to set the ARN of its `Resource` line to use a `*` wildcard, instead of specifying only a single log group name. For example, `"Resource": "arn:aws:logs:us-east-1:111122223333:log-group:*"`
If any of these types of logs is already being sent to a log group in CloudWatch Logs, then to set up the sending of another one of these types of logs to that same log group, you only need the `logs:CreateLogDelivery` permission.
**Log group resource policy**
The log group where the logs are being sent must have a resource policy that includes certain permissions. If the log group currently does not have a resource policy, and the user setting up the logging has the `logs:PutResourcePolicy`, `logs:DescribeResourcePolicies`, and `logs:DescribeLogGroups` permissions for the log group, then AWS automatically creates the following policy for it when you begin sending the logs to CloudWatch Logs. For newly created subscriptions, resource policies are configured at the log group level and have a maximum size of 51,200 bytes. If an existing account-level resource policy already grants permissions through wildcards, a separate log group level policy would not be created. To check the logGroup-level resource policy for a specific log group, use the `describe-resource-policies` command with the `--resource-arn` parameter set to the log group ARN and the `--policy-scope` parameter set to `RESOURCE`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
```
------
The log group's resource policy limit is 51,200 bytes. Once this limit is reached, AWS cannot add new permissions. This requires customers to manually modify the policy to grant the `delivery.logs.amazonaws.com` service principal permissions on the `logs:CreateLogStream` and `logs:PutLogEvents` actions. Customers should use a log group name prefix with wildcards such as `/aws/vendedlogs/*` and use this log group name for future Delivery creation.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
```
------
# Logs sent to Amazon S3
When you set logs to be sent to Amazon S3, AWS creates or changes the resource policies associated with the S3 bucket that is receiving the logs, if needed.
Logs published directly to Amazon S3 are published to an existing bucket that you specify. One or more log files are created every five minutes in the specified bucket.
When you deliver logs for the first time to an Amazon S3 bucket, the service that delivers logs records the owner of the bucket to ensure that the logs are delivered only to a bucket belonging to this account. As a result, to change the Amazon S3 bucket owner, you must re-create or update the log subscription in the originating service.
**Note**
CloudFront uses a different permissions model than the other services that send vended logs to S3. For more information, see [ Permissions required to configure standard logging and to access your log files](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership).
Additionally, if you use the same S3 bucket for CloudFront access logs and another log source, enabling ACL on the bucket for CloudFront also grants permission to all other log sources that use this bucket.
**Important**
If you're sending logs to an Amazon S3 bucket and the bucket policy contains a `NotAction` or `NotPrincipal` element, adding log delivery permissions to the bucket automatically and creating a log subscription will fail. To create a log subscription successfully, you need to manually add the log delivery permissions to the bucket policy, then create the log subscription. For more information, see the instructions in this section.
If the bucket has server-side encryption using a customer managed AWS KMS key, you must also add the key policy for your customer managed key. For more information, see [Amazon S3 bucket server-side encryption](#AWS-logs-SSE-KMS-S3).
If the destination bucket has SSE-KMS and a Bucket Key enabled, the attached customer managed KMS key policy no longer works as expected for all requests. For more information, see [ Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html).
If you're using vended logs and S3 encryption with a customer managed AWS KMS key, you must use a fully qualified AWS KMS key ARN instead of a key ID when you configure the bucket. For more information, see [ put-bucket-encryption](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-encryption.html).
**User permissions**
To be able to set up sending any of these types of logs to Amazon S3 for the first time, you must be logged into an account with the following permissions.
+ `logs:CreateLogDelivery`
+ `S3:GetBucketPolicy`
+ `S3:PutBucketPolicy`
If any of these types of logs is already being sent to an Amazon S3 bucket, then to set up the sending of another one of these types of logs to the same bucket you only need to have the `logs:CreateLogDelivery` permission.
**S3 bucket resource policy**
The S3 bucket where the logs are being sent must have a resource policy that includes certain permissions. If the bucket currently does not have a resource policy and the user setting up the logging has the `S3:GetBucketPolicy` and `S3:PutBucketPolicy` permissions for the bucket, then AWS automatically creates the following policy for it when you begin sending the logs to Amazon S3.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "AWSLogDeliveryWrite20150319",
"Statement": [
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/AWSLogs/account-ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
```
------
In the previous policy, for `aws:SourceAccount`, specify the list of account IDS for which logs are being delivered to this bucket. For `aws:SourceArn`, specify the list of ARNs of the resource that generates the logs, in the form `arn:aws:logs:source-region:source-account-id:*`.
If the bucket has a resource policy but that policy doesn't contain the statement shown in the previous policy, and the user setting up the logging has the `S3:GetBucketPolicy` and `S3:PutBucketPolicy` permissions for the bucket, that statement is appended to the bucket's resource policy.
**Note**
In some cases, you may see `AccessDenied` errors in AWS CloudTrail if the `s3:ListBucket` permission has not been granted to `delivery.logs.amazonaws.com`. To avoid these errors in your CloudTrail logs, you must grant the `s3:ListBucket` permission to `delivery.logs.amazonaws.com` and you must include the `Condition` parameters shown with the `s3:GetBucketAcl` permission set in the preceding bucket policy. To make this simpler, instead of creating a new `Statement`, you can directly update the `AWSLogDeliveryAclCheck` to be `“Action”: [“s3:GetBucketAcl”, “s3:ListBucket”]`
## Amazon S3 bucket server-side encryption
You can protect the data in your Amazon S3 bucket by enabling either server-side Encryption with Amazon S3-managed keys (SSE-S3) or server-side encryption with a AWS KMS key stored in AWS Key Management Service (SSE-KMS). For more information, see [ Protecting data using server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).
If you choose SSE-S3, no additional configuration is required. Amazon S3 handles the encryption key.
**Warning**
If you choose SSE-KMS, you must use a customer managed key, because using an AWS managed key is not supported for this scenario. If you set up encryption using an AWS managed key, the logs will be delivered in an unreadable format.
When you use a customer managed AWS KMS key, you can specify the Amazon Resource Name (ARN) of the customer managed key when you enable bucket encryption. You must add the following to the key policy for your customer managed key (not to the bucket policy for your S3 bucket), so that the log delivery account can write to your S3 bucket.
If you choose SSE-KMS, you must use a customer managed key, because using an AWS managed key is not supported for this scenario. When you use a customer managed AWS KMS key, you can specify the Amazon Resource Name (ARN) of the customer managed key when you enable bucket encryption. You must add the following to the key policy for your customer managed key (not to the bucket policy for your S3 bucket), so that the log delivery account can write to your S3 bucket.
```
{
"Sid": "Allow Logs Delivery to use the key",
"Effect": "Allow",
"Principal": {
"Service": [ "delivery.logs.amazonaws.com" ]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["0123456789"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:*"]
}
}
}
```
For `aws:SourceAccount`, specify the list of account IDS for which logs are being delivered to this bucket. For `aws:SourceArn`, specify the list of ARNs of the resource that generates the logs, in the form `arn:aws:logs:source-region:source-account-id:*`.
# Logs sent to Firehose
This section applies when the types of logs listed in the table in the preceding section are sent to Firehose:
**User permissions**
To be able to set up sending any of these types of logs to Firehose for the first time, you must be logged into an account with the following permissions.
+ `logs:CreateLogDelivery`
+ `firehose:TagDeliveryStream`
+ `iam:CreateServiceLinkedRole`
If any of these types of logs is already being sent to Firehose, then to set up the sending of another one of these types of logs to Firehose you need to have only the `logs:CreateLogDelivery` and `firehose:TagDeliveryStream` permissions.
**IAM roles used for permissions**
Because Firehose does not use resource policies, AWS uses IAM roles when setting up these logs to be sent to Firehose. AWS creates a service-linked role named **AWSServiceRoleForLogDelivery**. This service-linked role includes the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch",
"firehose:ListTagsForDeliveryStream"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/LogDeliveryEnabled": "true"
}
},
"Effect": "Allow"
}
]
}
```
------
This service-linked role grants permission for all Firehose delivery streams that have the `LogDeliveryEnabled` tag set to `true`. AWS gives this tag to the destination delivery stream when you set up the logging.
This service-linked role also has a trust policy that allows the `delivery.logs.amazonaws.com` service principal to assume the needed service-linked role. That trust policy is as follows:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
# Logging that requires additional permissions [V2]
Some AWS services use a new method to send their logs. This is a flexible method that enables you to set up log delivery from these services to one or more of the following destinations: CloudWatch Logs, Amazon S3, or Firehose and X-Ray for trace delivery.
A working log delivery consists of three elements:
+ A `DeliverySource`, which is a logical object that represents the resource(s) that actually send the logs.
+ A `DeliveryDestination`, which is a logical object that represents the actual delivery destination.
+ A `Delivery`, which connects a delivery source to delivery destination
To configure logs delivery between a supported AWS service and a destination, you must do the following:
+ Create a delivery source with [PutDeliverySource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliverySource.html).
+ Create a delivery destination with [PutDeliveryDestination](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestination.html).
+ If you are delivering logs cross-account, you must use [ PutDeliveryDestinationPolicy](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_PutDeliveryDestinationPolicy.html) in the destination account to assign an IAM policy to the destination. This policy authorizes creating a delivery from the delivery source in account A to the delivery destination in account B. For cross-account delivery, you must manually create the permission policies yourself.
+ Create a delivery by pairing exactly one delivery source and one delivery destination, by using [ CreateDelivery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_CreateDelivery.html).
The following sections provide the details of the permissions you need to have when you are signed in to set up log delivery to each type of destination, using the V2 process. These permissions can be granted to an IAM role that you are signed in with.
**Important**
It is your responsibility to remove log delivery resources after deleting the log-generating resource. To do so, follow these steps.
Delete the `Delivery` by using the [DeleteDelivery](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteDelivery.html) operation.
Delete the `DeliverySource` by using the [DeleteDeliverySource](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteDeliverySource.html) operation.
If the `DeliveryDestination` associated with the `DeliverySource` that you just deleted is used only for this specific `DeliverySource`, then you can remove it by using the [DeleteDeliveryDestinations](https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DescribeDeliveryDestinations.html) operation.
**Contents**
+ [Logs sent to CloudWatch Logs](AWS-logs-infrastructure-V2-CloudWatchLogs.md)
+ [Logs sent to Amazon S3](AWS-logs-infrastructure-V2-S3.md)
+ [Amazon S3](AWS-logs-infrastructure-V2-S3.md#AWS-logs-SSE-KMS-S3-V2)
+ [Logs sent to Firehose](AWS-logs-infrastructure-V2-Firehose.md)
+ [Traces sent to X-Ray](AWS-logs-infrastructure-V2-XRayTraces.md)
# Logs sent to CloudWatch Logs
**User permissions**
To enable sending logs to CloudWatch Logs, you must be signed in with the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:delivery:*",
"arn:aws:logs:us-east-1:444455556666:delivery-source:*",
"arn:aws:logs:us-east-1:777788889999:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyCWL",
"Effect": "Allow",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:*"
]
}
]
}
```
------
**Log group resource policy**
The log group where the logs are being sent must have a resource policy that includes certain permissions. If the log group currently does not have a resource policy, and the user setting up the logging has the `logs:PutResourcePolicy`, `logs:DescribeResourcePolicies`, and `logs:DescribeLogGroups` permissions for the log group, then AWS automatically creates the following policy for it when you begin sending the logs to CloudWatch Logs. For newly created subscriptions, resource policies are configured at the log group level and have a maximum size of 51,200 bytes. If an existing account-level resource policy already grants permissions through wildcards, a separate log group level policy would not be created. To check the logGroup-level resource policy for a specific log group, use the `describe-resource-policies` command with the `--resource-arn` parameter set to the log group ARN and the `--policy-scope` parameter set to `RESOURCE`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group:log-stream:*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
```
------
The log group's resource policy limit is 51,200 bytes. Once this limit is reached, AWS cannot add new permissions. This requires customers to manually modify the policy to grant the `delivery.logs.amazonaws.com` service principal permissions on the `logs:CreateLogStream` and `logs:PutLogEvents` actions. Customers should use a log group name prefix with wildcards such as `/aws/vendedlogs/*` and use this log group name for future Delivery creation.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:my-log-group/aws/vendedlogs/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:*"
]
}
}
}
]
}
```
------
# Logs sent to Amazon S3
**User permissions**
To enable sending logs to Amazon S3, you must be signed in with the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:delivery:*",
"arn:aws:logs:us-east-1:111122223333:delivery-source:*",
"arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyS3",
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:GetBucketPolicy"
],
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
```
------
The S3 bucket where the logs are being sent must have a resource policy that includes certain permissions. If the bucket currently does not have a resource policy and the user setting up the logging has the `S3:GetBucketPolicy` and `S3:PutBucketPolicy` permissions for the bucket, then AWS automatically creates the following policy for it when you begin sending the logs to Amazon S3.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "AWSLogDeliveryWrite20150319",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/AWSLogs/account-ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"0123456789"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:111122223333:delivery-source:*"
]
}
}
}
]
}
```
------
In the previous policy, for `aws:SourceAccount`, specify the list of account IDS for which logs are being delivered to this bucket. For `aws:SourceArn`, specify the list of ARNs of the resource that generates the logs, in the form `arn:aws:logs:source-region:source-account-id:*`.
If the bucket has a resource policy but that policy doesn't contain the statement shown in the previous policy, and the user setting up the logging has the `S3:GetBucketPolicy` and `S3:PutBucketPolicy` permissions for the bucket, that statement is appended to the bucket's resource policy.
**Note**
In some cases, you may see `AccessDenied` errors in AWS CloudTrail if the `s3:ListBucket` permission has not been granted to `delivery.logs.amazonaws.com`. To avoid these errors in your CloudTrail logs, you must grant the `s3:ListBucket` permission to `delivery.logs.amazonaws.com` and you must include the `Condition` parameters shown with the `s3:GetBucketAcl` permission set in the preceding bucket policy. To make this simpler, instead of creating a new `Statement`, you can directly update the `AWSLogDeliveryAclCheck` to be `“Action”: [“s3:GetBucketAcl”, “s3:ListBucket”]`
## Amazon S3 bucket server-side encryption
You can protect the data in your Amazon S3 bucket by enabling either server-side Encryption with Amazon S3-managed keys (SSE-S3) or server-side encryption with a AWS KMS key stored in AWS Key Management Service (SSE-KMS). For more information, see [ Protecting data using server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).
If you choose SSE-S3, no additional configuration is required. Amazon S3 handles the encryption key.
**Warning**
If you choose SSE-KMS, you must use a customer managed key, because using an AWS managed key is not supported for this scenario. If you set up encryption using an AWS managed key, the logs will be delivered in an unreadable format.
When you use a customer managed AWS KMS key, you can specify the Amazon Resource Name (ARN) of the customer managed key when you enable bucket encryption. You must add the following to the key policy for your customer managed key (not to the bucket policy for your S3 bucket), so that the log delivery account can write to your S3 bucket.
If you choose SSE-KMS, you must use a customer managed key, because using an AWS managed key is not supported for this scenario. When you use a customer managed AWS KMS key, you can specify the Amazon Resource Name (ARN) of the customer managed key when you enable bucket encryption. You must add the following to the key policy for your customer managed key (not to the bucket policy for your S3 bucket), so that the log delivery account can write to your S3 bucket.
```
{
"Sid": "Allow Logs Delivery to use the key",
"Effect": "Allow",
"Principal": {
"Service": [ "delivery.logs.amazonaws.com" ]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ["0123456789"]
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:us-east-1:0123456789:delivery-source:*"]
}
}
}
```
For `aws:SourceAccount`, specify the list of account IDS for which logs are being delivered to this bucket. For `aws:SourceArn`, specify the list of ARNs of the resource that generates the logs, in the form `arn:aws:logs:source-region:source-account-id:*`.
# Logs sent to Firehose
**User permissions**
To enable sending logs to Firehose, you must be signed in with the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:delivery:*",
"arn:aws:logs:us-east-1:111122223333:delivery-source:*",
"arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyFH",
"Effect": "Allow",
"Action": [
"firehose:TagDeliveryStream"
],
"Resource": [
"arn:aws:firehose:us-east-1:111122223333:deliverystream/*"
]
},
{
"Sid": "CreateServiceLinkedRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
}
]
}
```
------
**IAM roles used for resource permissions**
Because Firehose does not use resource policies, AWS uses IAM roles when setting up these logs to be sent to Firehose. AWS creates a service-linked role named **AWSServiceRoleForLogDelivery**. This service-linked role includes the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"firehose:PutRecord",
"firehose:PutRecordBatch",
"firehose:ListTagsForDeliveryStream"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/LogDeliveryEnabled": "true"
}
},
"Effect": "Allow"
}
]
}
```
------
This service-linked role grants permission for all Firehose delivery streams that have the `LogDeliveryEnabled` tag set to `true`. AWS gives this tag to the destination delivery stream when you set up the logging.
This service-linked role also has a trust policy that allows the `delivery.logs.amazonaws.com` service principal to assume the needed service-linked role. That trust policy is as follows:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
# Traces sent to X-Ray
**User permissions**
To enable sending traces to AWS X-Ray, you must be signed in with the following permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:GetDelivery",
"logs:GetDeliverySource",
"logs:PutDeliveryDestination",
"logs:GetDeliveryDestinationPolicy",
"logs:DeleteDeliverySource",
"logs:PutDeliveryDestinationPolicy",
"logs:CreateDelivery",
"logs:GetDeliveryDestination",
"logs:PutDeliverySource",
"logs:DeleteDeliveryDestination",
"logs:DeleteDeliveryDestinationPolicy",
"logs:DeleteDelivery",
"logs:UpdateDeliveryConfiguration"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:delivery:*",
"arn:aws:logs:us-east-1:111122223333:delivery-source:*",
"arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
]
},
{
"Sid": "ListAccessForLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:DescribeDeliveryDestinations",
"logs:DescribeDeliverySources",
"logs:DescribeDeliveries",
"logs:DescribeConfigurationTemplates"
],
"Resource": "*"
},
{
"Sid": "AllowUpdatesToResourcePolicyXRay",
"Effect": "Allow",
"Action": [
"xray:PutResourcePolicy",
"xray:ListResourcePolicies",
"xray:GetTraceSegmentDestination"
],
"Resource": "*"
}
]
}
```
------
**X-Ray resource policy**
The destination account where the traces are being sent must have a resource policy that includes certain permissions. When the user setting up the tracing has `xray:PutResourcePolicy` and `xray:ListResourcePolicies` permissions in the account, AWS automatically creates the resource policy when you begin sending traces to X-Ray. The policy that is created depends on the source service :
**Amazon Bedrock AgentCore resources**
AWS creates one resource policy per resource type. The policy uses wildcard patterns scoped to the account boundary, covering all resources of the same Amazon Bedrock AgentCore resource type in the account. For example, if a *Amazon Bedrock AgentCore Memory* resource is enabled for trace delivery, the policy covers all memory resources in that account — including any memory resources created in the future.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "xray:PutTraceSegments",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": "arn:aws:bedrock-agentcore:us-east-1:123456789012:memory/*"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:*"
}
}
}
]
}
```
**Other AWS services**
For other services that support trace delivery, AWS creates a resource policy scoped to the specific source resource.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "xray:PutTraceSegments",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ForAllValues:ArnLike": {
"logs:LogGeneratingResourceArns": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/KnowledgeBaseId"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:logs:us-east-1:123456789012:delivery-source:xray-test"
}
}
}
]
}
```
**Enable transaction search**
To enable sending traces to X-Ray, you must enable [transaction search](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Enable-Lambda-TransactionSearch.html).
# Service-specific permissions
In addition to the destination-specific permissions listed in the previous sections, some services require explicit authorization that customers are allowed to send logs from their resources, as an additional layer of security. It authorizes the `AllowVendedLogDeliveryForResource` action for resources that vend logs within that service. For these services, use the following policy and replace *service* and *resource-type* with the appropriate values. For the service-specific values for these fields, see those services' documentation page for vended logs. In the following example, the policy has been updated to enable vended logs from Amazon SES.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ServiceLevelAccessForLogDelivery",
"Effect": "Allow",
"Action": [
"ses:AllowVendedLogDeliveryForResource"
],
"Resource": "arn:aws:ses:us-east-1:123456789012:resource-type/*"
}
]
}
```
------
# Console-specific permissions
In addition to the permissions listed in the previous sections, if you are setting up log delivery using the console instead of the APIs, you also need the following additional permissions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowLogDeliveryActionsConsoleCWL",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:*"
]
},
{
"Sid": "AllowLogDeliveryActionsConsoleS3",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowLogDeliveryActionsConsoleFH",
"Effect": "Allow",
"Action": [
"firehose:ListDeliveryStreams",
"firehose:DescribeDeliveryStream"
],
"Resource": [
"*"
]
}
]
}
```
------
# Cross-account delivery example
In this example, two accounts are involved. The account with the log-generating resource is Account A, ID: *123456789012*, and the account with the log-consuming resource is Account B, ID: *111122223333*.
Account A wants to deliver logs from the Amazon Bedrock knowledge base in their account with the ARN arn:aws:bedrock:*us-east-1*:*123456789012*:knowledge-base/*kb-12345678*.
For this example, account A needs the following permissions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowVendedLogDeliveryForKnowledgeBase",
"Effect": "Allow",
"Action": [
"bedrock:AllowVendedLogDeliveryForResource"
],
"Resource": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/XXXXXXXXXX"
},
{
"Sid": "CreateLogDeliveryPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliverySource",
"logs:CreateDelivery"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:delivery-source:*",
"arn:aws:logs:us-east-1:123456789012:delivery:*",
"arn:aws:logs:us-east-1:444455556666:delivery-destination:*"
]
}
]
}
```
------
## Create delivery source
To begin, account A creates a delivery source with their bedrock knowledge base:
```
aws logs put-delivery-source --name my-delivery-source --log-type APPLICATION_LOGS --resource-arn arn:aws:bedrock:region:AAAAAAAAAAAA:knowledge-base/XXXXXXXXXX
```
Next, account B must create the delivery destination using one of the flows below:
+ [Configure delivery to an Amazon S3 bucket](#crossaccount-example-delivery-S3)
+ [Configure delivery to a Firehose stream](#crossaccount-example-delivery-Firehose)
## Configure delivery to an Amazon S3 bucket
Account B wants to receive the logs into their S3 bucket with the ARN arn:aws:s3:::amzn-s3-demo-bucket For this example, account B will need the following permissions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutLogDestinationPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
}
]
}
```
------
The bucket will need the following permissions in its bucket policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogsDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"123456789012"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:123456789012:delivery-source:my-delivery-source"
]
}
}
}
]
}
```
------
If the bucket is encrypted with SSE-KMS, ensure the AWS KMS key policy has the appropriate permissions. For example, if the KMS key is `arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`, use the following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowLogsGenerateDataKey",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"123456789012"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:123456789012:delivery-source:my-delivery-source"
]
}
}
}
]
}
```
------
Account B can then create a delivery destination with the S3 bucket as the destination resource:
```
aws logs put-delivery-destination --name my-s3-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:s3:::amzn-s3-demo-bucket"
```
Next, Account B creates a delivery destination policy on their newly created delivery destination, which will give permission for Account A to create a log delivery. The policy that will be added to the newly created delivery destination is the following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:amzn-s3-demo-bucket"
}
]
}
```
------
This policy will be saved in Account B’s computer as `destination-policy-s3.json` To attach this resource, Account B will run the following command:
```
aws logs put-delivery-destination-policy --delivery-destination-name my-s3-delivery-destination --delivery-destination-policy file://destination-policy-s3.json
```
Lastly, Account A creates the delivery, which links the delivery source in Account A to the delivery destination in Account B.
```
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:region:BBBBBBBBBBBB:delivery-destination:my-s3-delivery-destination
```
## Configure delivery to a Firehose stream
In this example, Account B wants to receive logs into their Firehose stream. The Firehose stream has the following ARN and is configured to use the DirectPut delivery stream type:
`arn:aws:firehose:us-east-1:111122223333:deliverystream/log-delivery-stream`
For this example, Account B needs the following permissions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowFirehoseCreateSLR",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::111122223333:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
},
{
"Sid": "AllowFirehoseTagging",
"Effect": "Allow",
"Action": [
"firehose:TagDeliveryStream"
],
"Resource": "arn:aws:firehose:us-east-1:111122223333:deliverystream/X"
},
{
"Sid": "AllowFirehoseDeliveryDestination",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
}
]
}
```
------
The Firehose stream must have the tag `LogDeliveryEnabled` set to `true`.
Account B will then create a delivery destination with the Firehose stream as the destination resource:
```
aws logs put-delivery-destination --name my-fh-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:firehose:region:BBBBBBBBBBBB:deliverystream/X"
```
Next, Account B creates a delivery destination policy on their newly created delivery destination, which will give permission for Account A to create a log delivery. The policy to be added to the newly created delivery destination is the following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:us-east-1:111122223333:delivery-destination:amzn-s3-demo-bucket"
}
]
}
```
------
This policy will be saved in Account B’s computer as `destination-policy-fh.json` To attach this resource, Account B runs the following command:
```
aws logs put-delivery-destination-policy --delivery-destination-name my-fh-delivery-destination --delivery-destination-policy file://destination-policy-fh.json
```
Lastly, Account A creates the delivery, which links the delivery source in Account A to the delivery destination in Account B.
```
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:region:BBBBBBBBBBBB:delivery-destination:my-fh-delivery-destination
```
# Cross-service confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account.
We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn), [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount), [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgid](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgid), and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgpaths](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceorgpaths) global condition context keys in resource policies to limit the permissions that CloudWatch Logs gives another service to the resource. Use `aws:SourceArn` to associate only one resource with cross-service access. Use `aws:SourceAccount` to let any resource in that account be associated with the cross-service use. Use `aws:SourceOrgID` to allow any resource from any account within an organization be associated with the cross-service use. Use `aws:SourceOrgPaths` to associate any resource from accounts within an AWS Organizations path with the cross-service use. For more information about using and understanding paths, see [Understand the AWS Organizations entity path](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_last-accessed-view-data-orgs.html#access_policies_last-accessed-viewing-orgs-entity-path).
The most effective way to protect against the confused deputy problem is to use the `aws:SourceArn` global condition context key with the full ARN of the resource. If you don't know the full ARN of the resource or if you are specifying multiple resources, use the `aws:SourceArn` global context condition key with wildcard characters (`*`) for the unknown portions of the ARN. For example, `arn:aws:servicename:*:123456789012:*`.
If the `aws:SourceArn` value does not contain the account ID, such as an Amazon S3 bucket ARN, you must use both `aws:SourceAccount` and `aws:SourceArn` to limit permissions.
To protect against the confused deputy problem at scale, use the `aws:SourceOrgID` or `aws:SourceOrgPaths` global condition context key with the organization ID or organization path of the resource in your resource-based policies. Policies that include the `aws:SourceOrgID` or `aws:SourceOrgPaths` key will automatically include the correct accounts and you don't have to manually update the policies when you add, remove, or move accounts in your organization.
The policies documented for granting access to CloudWatch Logs to write data to Kinesis Data Streams and Firehose in [Step 1: Create a destination](CreateDestination.md) and [Step 2: Create a destination](CreateFirehoseStreamDestination.md) show how you can use the `aws:SourceArn` global condition context key to help prevent the confused deputy problem.