# Permissions for monitoring Amazon Q Business with Amazon CloudWatch Logs
<a name="cw-logs-permissions"></a>

To set up Amazon CloudWatch Logs for Amazon Q Business, use the following IAM policy to grant the necessary permissions.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "CloudWatchLogsDeliveryPermissions",
            "Effect": "Allow",
            "Action": "logs:CreateDelivery",
            "Resource": [
                "arn:aws:logs:us-east-1:111122223333:delivery-source:*",
                "arn:aws:logs:us-east-1:111122223333:delivery:*",
                "arn:aws:logs:us-east-1:111122223333:delivery-destination:*"
            ]
        },
        {
            "Sid": "QBusinessLogDeliveryPermissions",
            "Effect": "Allow",
            "Action": "qbusiness:AllowVendedLogDeliveryForResource",
            "Resource": [
                "arn:aws:qbusiness:us-east-1:111122223333:application/application-id"
            ]
        }
    ]
}
```

------

For example IAM policies with all the required permissions for your specific logging destination, see [Enable logging from AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html) in the *Amazon CloudWatch Logs User Guide*.