# Additional permissions for log delivery
If you configure log delivery on the Replicator, append the appropriate statements below to the base policy. You only need the snippets for the destinations you enable.
**Amazon CloudWatch Logs destination**
Append the following statement when `cloudWatchLogs.enabled` is `true` in the `logDelivery` configuration.
```
{
"Sid": "CloudWatchLogsLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
]
}
```
**Amazon S3 destination**
Append the following statements when `s3.enabled` is `true`. Replace `` with your destination bucket name.
```
[
{
"Sid": "S3LogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
]
},
{
"Sid": "S3BucketLogDeliveryActions",
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": "arn:aws:s3:::"
}
]
```
**Firehose destination**
Append the following statements when `firehose.enabled` is `true`. Replace `` with your AWS account ID.
```
[
{
"Sid": "FirehoseLogDeliveryActions",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:ListLogDeliveries",
"firehose:TagDeliveryStream"
],
"Resource": [
"*"
]
},
{
"Sid": "FirehoseLogDeliveryServiceLinkedRole",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam:::role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
}
]
```
For more information about vended-logs permissions, see [Enabling logging from AWS services](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-vended-logs-permissions.html).