# Monitoring Amazon VPC Lattice
Use the features in this section to monitor your Amazon VPC Lattice service networks, services, target groups, and VPC connections.
**Topics**
+ [CloudWatch metrics for Amazon VPC Lattice](monitoring-cloudwatch.md)
+ [Access logs for Amazon VPC Lattice](monitoring-access-logs.md)
+ [CloudTrail logs for Amazon VPC Lattice](monitoring-cloudtrail.md)
# CloudWatch metrics for Amazon VPC Lattice
Amazon VPC Lattice sends data related to your target groups and services to Amazon CloudWatch, and processes it into readable, near real-time metrics. These metrics are kept for 15 months, so that you can access historical information and gain a better perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html).
Amazon VPC Lattice uses a service-linked role in your AWS account to send metrics to Amazon CloudWatch. For more information, see [Using service-linked roles for Amazon VPC Lattice](using-service-linked-roles.md).
**Topics**
+ [View Amazon CloudWatch metrics](#monitoring-cloudwatch-view)
+ [Target group metrics](#monitoring-cloudwatch-tg)
+ [Service metrics](#monitoring-cloudwatch-service)
## View Amazon CloudWatch metrics
You can view the Amazon CloudWatch metrics for your target groups and services using the CloudWatch console or AWS CLI.
**To view metrics using the CloudWatch console**
1. Open the Amazon CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. Select the `AWS/VpcLattice` namespace.
1. (Optional) To view a metric across all dimensions, enter its name in the search field.
1. (Optional) To filter by dimension, select one of the following:
+ To display only the metrics reported for your target groups, choose **Target groups**. To view the metrics for a single target group, enter its name in the search field.
+ To display only the metrics reported for your services, choose **Services**. To view the metrics for a single service, enter its name in the search field.
**To view metrics using the AWS CLI**
Use the following [CloudWatch list-metrics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/list-metrics.html) AWS CLI command to list the available metrics:
`aws cloudwatch list-metrics --namespace AWS/VpcLattice`
For information about each of the metrics and their dimensions, see [Target group metrics](#monitoring-cloudwatch-tg) and [Service metrics](#monitoring-cloudwatch-service).
## Target group metrics
VPC Lattice automatically stores metrics related to target groups in the `AWS/VpcLattice` [Amazon CloudWatch namespace](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace). For more information about target groups, see [Target groups in VPC Lattice](target-groups.md).
**Dimensions**
To filter the metrics for target groups, use the following dimensions:
+ `AvailabilityZone`
+ `TargetGroup`
| Metric | Description | TargetGroup Protocol |
| --- | --- | --- |
| TotalConnectionCount | Total connections. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
| ActiveConnectionCount | Active connections. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
| ConnectionErrorCount | Total connection failures. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
| HTTP1\$1ConnectionCount | Total HTTP/1.1 connections. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS |
| HTTP2\$1ConnectionCount | Total HTTP/2 connections. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS |
| ConnectionTimeoutCount | Total connection connect timeouts. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
| TotalReceivedConnectionBytes | Total received connection bytes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
| TotalSentConnectionBytes | Total sent connection bytes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
| TotalRequestCount | Total requests. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS |
| ActiveRequestCount | Total active requests. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS |
| RequestTime | Request time to the last byte in milliseconds. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS |
| HTTPCode\$12XX\$1Count, HTTPCode\$13XX\$1Count, HTTPCode\$14XX\$1Count, HTTPCode\$15XX\$1Count | Aggregate HTTP response codes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS |
| TLSConnectionErrorCount | Total TLS connection errors not including failed certificate verifications. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
| TotalTLSConnectionHandshakeCount | Total successful TLS connection handshakes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) | HTTP, HTTPS, TCP |
## Service metrics
VPC Lattice automatically stores metrics related to services in the `AWS/VpcLattice` [Amazon CloudWatch namespace](https://docs.aws.amazon.com//AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Namespace). For more information about services, see [Services in VPC Lattice](services.md).
**Dimensions**
To filter the metrics for target groups, use the following dimensions:
+ `AvailabilityZone`
+ `Service`
| Metric | Description |
| --- | --- |
| RequestTimeoutCount | Total requests that timed out waiting for a response. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) |
| TotalRequestCount | Total requests. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) |
| RequestTime | Request time in milliseconds. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) |
| HTTPCode\$12XX\$1Count, HTTPCode\$13XX\$1Count, HTTPCode\$14XX\$1Count, HTTPCode\$15XX\$1Count | Aggregate HTTP response codes. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-cloudwatch.html) |
# Access logs for Amazon VPC Lattice
Access logs capture detailed information about your VPC Lattice services and resource configurations. You can use these access logs to analyze traffic patterns and audit all of the services in the network. For VPC Lattice services, we publish `VpcLatticeAccessLogs` and for resource configurations, we publish `VpcLatticeResourceAccessLogs` which needs to be configured separately.
Access logs are optional and are disabled by default. After you enable access logs, you can disable them at any time.
**Pricing**
Charges apply when access logs are published. Logs that AWS natively publishes on your behalf are called *vended logs*. For more information about pricing for vended logs, see [Amazon CloudWatch Pricing](https://aws.amazon.com/cloudwatch/pricing/), choose **Logs**, and view the pricing under **Vended Logs**.
**Topics**
+ [IAM permissions required to enable access logs](#monitoring-access-logs-IAM)
+ [Access log destinations](#monitoring-access-logs-destinations)
+ [Enable access logs](#monitoring-access-logs-enable)
+ [Request tracking](#x-amzn-RequestId-enable)
+ [Access log contents](#monitoring-access-logs-contents)
+ [Resource access log contents](#monitoring-resource-access-logs-contents)
+ [Troubleshoot access logs](#monitoring-access-logs-troubleshoot)
## IAM permissions required to enable access logs
To enable access logs and send the logs to their destinations, you must have the following actions in the policy attached to the IAM user, group, or role that you are using.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Sid": "ManageVPCLatticeAccessLogSetup",
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"vpc-lattice:CreateAccessLogSubscription",
"vpc-lattice:GetAccessLogSubscription",
"vpc-lattice:UpdateAccessLogSubscription",
"vpc-lattice:DeleteAccessLogSubscription",
"vpc-lattice:ListAccessLogSubscriptions"
],
"Resource": [
"*"
]
}
]
}
```
------
For more information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the *AWS Identity and Access Management User Guide*.
After you’ve updated the policy attached to the IAM user, group, or role that you are using, go to [Enable access logs](#monitoring-access-logs-enable).
## Access log destinations
You can send access logs to the following destinations.
**Amazon CloudWatch Logs**
+ VPC Lattice typically delivers logs to CloudWatch Logs within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
+ A resource policy is created automatically and added to the CloudWatch log group if the log group does not have certain permissions. For more information, see [Logs sent to CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-CWL) in the *Amazon CloudWatch User Guide*.
+ You can find access logs that are sent to CloudWatch under Log Groups in the CloudWatch console. For more information, see [View log data sent to CloudWatch Logs](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#ViewingLogData) in the *Amazon CloudWatch User Guide*.
**Amazon S3**
+ VPC Lattice typically delivers logs to Amazon S3 within 6 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
+ A bucket policy will be created automatically and added to your Amazon S3 bucket if the bucket does not have certain permissions. For more information, see [Logs sent to Amazon S3 ](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-S3) in the *Amazon CloudWatch User Guide*.
+ Access logs that are sent to Amazon S3 use the following naming convention:
```
[bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/AccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz
```
+ VpcLatticeResourceAccessLogs that are sent to Amazon S3 use the following naming convention:
```
[bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/ResourceAccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeResourceAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz
```
**Amazon Data Firehose**
+ VPC Lattice typically delivers logs to Firehose within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
+ A service-linked role is automatically created that grants VPC Lattice permission to send access logs to Amazon Data Firehose. For automatic role creation to succeed, users must have permission for the `iam:CreateServiceLinkedRole` action. For more information, see [Logs sent to Amazon Data Firehose](https://docs.aws.amazon.com//AmazonCloudWatch/latest/logs/AWS-logs-and-resource-policy.html#AWS-logs-infrastructure-Firehose) in the *Amazon CloudWatch User Guide*.
+ For more information about viewing the logs sent to Amazon Data Firehose, see [Monitoring Amazon Kinesis Data Streams](https://docs.aws.amazon.com//streams/latest/dev/monitoring.html) in the *Amazon Data Firehose Developer Guide*.
## Enable access logs
Complete the following procedure to configure access logs to capture and deliver access logs to the destination that you choose.
**Topics**
+ [Enable access logs using the console](#monitoring-access-logs-console)
+ [Enable access logs using the AWS CLI](#monitoring-access-logs-cli)
### Enable access logs using the console
You can enable access logs for a service network, a service, or a resource configuration during creation. You can also enable access logs after you create a service network, service, or resource configuration as described in the following procedure.
**To create a basic service using the console**
1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. Select the service network, service, or resource configuration.
1. Choose **Actions**, **Edit log settings**.
1. Turn on the **Access logs** toggle switch.
1. Add a delivery destination for your access logs as follows:
+ Select **CloudWatch Log group** and choose a log group. To create a log group, choose **Create a log group in CloudWatch**.
+ Select **S3 bucket** and enter the S3 bucket path, including any prefix. To search your S3 buckets, choose **Browse S3**.
+ Select **Kinesis Data Firehose delivery stream** and choose a delivery stream. To create a delivery stream, choose **Create a delivery stream in Kinesis**.
1. Choose **Save changes**.
### Enable access logs using the AWS CLI
Use the CLI command [create-access-log-subscription](https://docs.aws.amazon.com/cli/latest/reference/vpc-lattice/create-access-log-subscription.html) to enable access logs for service networks or services.
## Request tracking
VPC Lattice supports request tracking and correlation across clients, targets, and logs for observability and debugging with the x-amzn-requestid header. This header can be set and sent by the client or generated by VPC Lattice and is sent to targets and also available in access logs.
**Default behavior**
+ VPC Lattice automatically generates this header for every request.
+ The value is a randomly generated identifier (UUID-style by default).
+ The generated identifier is:
+ Propagated to downstream targets.
+ Returned in response headers to clients.
+ Logged in access logs
**Example (default response)**
The following is an example of a response sent to client with the default behavior of VPC Lattice generating a random value for the valu eof x-amzn-requestid header.
```
{
"HTTP/1.1 200 OK
x-amzn-requestid: a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001"
}
```
**Client setting the value**
+ Clients can optionally set this header on incoming requests to override the automatically generated value.
+ Considerations
+ The header value does not need to follow a UUID format.
+ If the header value exceeds 512 bytes, VPC Lattice will truncate it to 512.
+ When overridden successfully, the provided header value will:
+ Appear in response headers
+ Be propagated to targets
+ Appear in access logs and metrics
**Example (override client reqeust)**
The following is an example of a reqeust sent by the client with a header value.
```
{
"GET /my-service/endpoint HTTP/1.1
Host: my-api.example.com
x-amzn-requestid: trace-request-foobar"
}
```
**Example (default override response)**
The following is an example of a response sent to client with the overridden value.
```
{
"HTTP/1.1 200 OK
x-amzn-requestid: trace-request-foobar"
}
```
## Access log contents
The following table describes the fields of an access log entry.
| Field | Description | Format |
| --- | --- | --- |
| callerPrincipalTags | The PrincipalTags in the request. | JSON |
| hostHeader | The authority header of the request. | string |
| sslCipher | The OpenSSL name for the set of ciphers used to establish the client TLS connection. | string |
| serviceNetworkArn | The service network ARN. | arn:aws:vpc-lattice:*region*:*account*:servicenetwork/*id* |
| resolvedUser | The ARN of the user when authentication is enabled and authentication is done. | null \$1 ARN \$1 "Anonymous" \$1 "Unknown" |
| authDeniedReason | The reason that access is denied when authentication is enabled. | null \$1 "Service" \$1 "Network" \$1 "Identity" |
| requestMethod | The method header of the request. | string |
| targetGroupArn | The target host group to which the target host belongs. | string |
| tlsVersion | The TLS version. | TLSv*x* |
| userAgent | The user-agent header. | string |
| serverNameIndication | [HTTPS only] The value set on ssl connection socket for Server Name Indication (SNI). | string |
| destinationVpcId | The destination VPC ID. | vpc-*xxxxxxxx* |
| sourceIpPort | The IP address and :port of the source. | *ip*:*port* |
| targetIpPort | The IP address and port of the target. | *ip*:*port* |
| serviceArn | The service ARN. | arn:aws:vpc-lattice:*region*:*account*:service/*id* |
| sourceVpcId | The source VPC ID. | vpc-*xxxxxxxx* |
| requestPath | The path of the request. | LatticePath?:*path* |
| startTime | The request start time. | *YYYY*-*MM*-*DD*T*HH*:*MM*:*SS*Z |
| protocol | The protocol. Currently either HTTP/1.1 or HTTP/2. | string |
| responseCode | The HTTP response code. Only the response code for the final headers are logged. For more information, see [Troubleshoot access logs](#monitoring-access-logs-troubleshoot). | integer |
| bytesReceived | The body and header bytes received. | integer |
| bytesSent | The body and header bytes sent. | integer |
| duration | Total duration in milliseconds of the request from the start time to the last byte out. | integer |
| requestToTargetDuration | Total duration in milliseconds of the request from the start time to the last byte sent to the target. | integer |
| responseFromTargetDuration | Total duration in milliseconds of the request from the first byte read from the target host to the last byte sent to the client. | integer |
| grpcResponseCode | The gRPC response code. For more information, see [Status codes and their use in gRPC](https://grpc.github.io/grpc/core/md_doc_statuscodes.html). This field is logged only if the service supports gRPC. | integer |
| requestId | This a unique identifier automatically included in responses as the value of the x-amzn-requestid header. It enables request correlation across clients, targets, and logs for observability and debugging. | string |
| callerPrincipal | The authenticated principal. | string |
| callerX509SubjectCN | The subject name (CN). | string |
| callerX509IssuerOU | The issuer (OU). | string |
| callerX509SANNameCN | The issuer alternative (Name/CN). | string |
| callerX509SANDNS | The subject alternative name (DNS). | string |
| callerX509SANURI | The subject alternative name (URI). | string |
| sourceVpcArn | The ARN of the VPC where the request originated. | arn:aws:ec2:*region*:*account*:vpc/*id* |
| failureReason | Indicates the reason a request failed. The possible values are the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-access-logs.html) | string |
**Example**
The following is an example log entry.
```
{
"callerPrincipalTags" : "{ "TagA": "ValA", "TagB": "ValB", ... }",
"hostHeader": "example.com",
"sslCipher": "-",
"serviceNetworkArn": "arn:aws:vpc-lattice:us-west-2:123456789012:servicenetwork/svn-1a2b3c4d",
"resolvedUser": "Unknown",
"authDeniedReason": "null",
"requestMethod": "GET",
"targetGroupArn": "arn:aws:vpc-lattice:us-west-2:123456789012:targetgroup/tg-1a2b3c4d",
"tlsVersion": "-",
"userAgent": "-",
"serverNameIndication": "-",
"destinationVpcId": "vpc-0abcdef1234567890",
"sourceIpPort": "178.0.181.150:80",
"targetIpPort": "131.31.44.176:80",
"serviceArn": "arn:aws:vpc-lattice:us-west-2:123456789012:service/svc-1a2b3c4d",
"sourceVpcId": "vpc-0abcdef1234567890",
"requestPath": "/billing",
"startTime": "2023-07-28T20:48:45Z",
"protocol": "HTTP/1.1",
"responseCode": 200,
"bytesReceived": 42,
"bytesSent": 42,
"duration": 375,
"requestToTargetDuration": 1,
"responseFromTargetDuration": 1,
"grpcResponseCode": 1,
"requestId": "a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001"
}
```
## Resource access log contents
The following table describes the fields of a resource access log entry.
| Field | Description | Format |
| --- | --- | --- |
| serviceNetworkArn | The service network ARN. | arn:*partition*vpc-lattice:*region*:*account*:servicenetwork/*id* |
| serviceNetworkResourceAssociationId | The service network resource ID. | *snra*-*xxx* |
| vpcEndpointId | The endpoint ID that was used to access the resource. | string |
| sourceVpcArn | The source VPC ARN or the VPC from where connection was initiated. | string |
| resourceConfigurationArn | The ARN of the resource configuration that was accessed. | string |
| protocol | The protocol used to communicate to the resource configuration. Currently only tcp is supported. | string |
| sourceIpPort | The IP address and port of the source which initiated the connection. | *ip*:*port* |
| destinationIpPort | The IP address and port against which the connection was initiated. This will be the IP of SN-E/SN-A. | *ip*:*port* |
| gatewayIpPort | The IP address and port used by the resource gateway to access the resource. | *ip*:*port* |
| resourceIpPort | The IP address and port of the resource. | *ip*:*port* |
**Example**
The following is an example log entry.
```
{
"eventTimestamp": "2024-12-02T10:10:10.123Z",
"serviceNetworkArn": "arn:aws:vpc-lattice:us-west-2:1234567890:servicenetwork/sn-1a2b3c4d",
"serviceNetworkResourceAssociationId": "snra-1a2b3c4d",
"vpcEndpointId": "vpce-01a2b3c4d",
"sourceVpcArn": "arn:aws:ec2:us-west-2:1234567890:vpc/vpc-01a2b3c4d",
"resourceConfigurationArn": "arn:aws:vpc-lattice:us-west-2:0987654321:resourceconfiguration/rcfg-01a2b3c4d",
"protocol": "tcp",
"sourceIpPort": "172.31.23.56:44076",
"destinationIpPort": "172.31.31.226:80",
"gatewayIpPort": "10.0.28.57:49288",
"resourceIpPort": "10.0.18.190:80"
}
```
## Troubleshoot access logs
This section contains an explanation of the HTTP error codes that you may see in access logs.
| Error code | Possible causes |
| --- | --- |
| HTTP 400: Bad Request | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc-lattice/latest/ug/monitoring-access-logs.html) |
| HTTP 403: Forbidden | Authentication has been configured for the service, but the incoming request is not authenticated or authorized. |
| HTTP 404: Non Existent Service | You're trying to connect to a service that does not exist or is not registered to the right service network. |
| HTTP 500: Internal Server Error | VPC Lattice has encountered an error, such as failure to connect to targets. |
| HTTP 502: Bad Gateway | VPC Lattice has encountered an error. |
# CloudTrail logs for Amazon VPC Lattice
Amazon VPC Lattice is integrated with [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html), a service that provides a record of actions taken by a user, role, or an AWS service. CloudTrail captures all API calls for VPC Lattice as events. The calls captured include calls from the VPC Lattice console and code calls to the VPC Lattice API operations. Using the information collected by CloudTrail, you can determine the request that was made to VPC Lattice, the IP address from which the request was made, when it was made, and additional details.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root user or user credentials.
+ Whether the request was made on behalf of an IAM Identity Center user.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
CloudTrail is active in your AWS account when you create the account and you automatically have access to the CloudTrail **Event history**. The CloudTrail **Event history** provides a viewable, searchable, downloadable, and immutable record of the past 90 days of recorded management events in an AWS Region. For more information, see [Working with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *AWS CloudTrail User Guide*. There are no CloudTrail charges for viewing the **Event history**.
For an ongoing record of events in your AWS account past 90 days, create a trail or a [CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) event data store.
**CloudTrail trails**
A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. All trails created using the AWS Management Console are multi-Region. You can create a single-Region or a multi-Region trail by using the AWS CLI. Creating a multi-Region trail is recommended because you capture activity in all AWS Regions in your account. If you create a single-Region trail, you can view only the events logged in the trail's AWS Region. For more information about trails, see [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) and [Creating a trail for an organization](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-trail-organization.html) in the *AWS CloudTrail User Guide*.
You can deliver one copy of your ongoing management events to your Amazon S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/). For information about Amazon S3 pricing, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/).
**CloudTrail Lake event data stores**
*CloudTrail Lake* lets you run SQL-based queries on your events. CloudTrail Lake converts existing events in row-based JSON format to [ Apache ORC](https://orc.apache.org/) format. ORC is a columnar storage format that is optimized for fast retrieval of data. Events are aggregated into *event data stores*, which are immutable collections of events based on criteria that you select by applying [advanced event selectors](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-concepts.html#adv-event-selectors). The selectors that you apply to an event data store control which events persist and are available for you to query. For more information about CloudTrail Lake, see [Working with AWS CloudTrail Lake](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake.html) in the *AWS CloudTrail User Guide*.
CloudTrail Lake event data stores and queries incur costs. When you create an event data store, you choose the [pricing option](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-lake-manage-costs.html#cloudtrail-lake-manage-costs-pricing-option) you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For more information about CloudTrail pricing, see [AWS CloudTrail Pricing](https://aws.amazon.com/cloudtrail/pricing/).
To monitor additional actions, use access logs. For more information, see [Access logs](monitoring-access-logs.md).
## VPC Lattice management events in CloudTrail
[Management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html#logging-management-events) provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. By default, CloudTrail logs management events.
Amazon VPC Lattice logs VPC Lattice control plane operations as management events. For a list of the Amazon VPC Lattice control plane operations that VPC Lattice logs to CloudTrail, see the [Amazon VPC Lattice API Reference](https://docs.aws.amazon.com/vpc-lattice/latest/APIReference/).
## VPC Lattice event examples
An event represents a single request from any source and includes information about the requested API operation, the date and time of the operation, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.
The following example shows a CloudTrail event for the [CreateService](https://docs.aws.amazon.com/vpc-lattice/latest/APIReference/API_CreateService.html) operation.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "abcdef01234567890",
"arn": "arn:abcdef01234567890",
"accountId": "abcdef01234567890",
"accessKeyId": "abcdef01234567890",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "abcdef01234567890",
"arn": "arn:abcdef01234567890",
"accountId": "abcdef01234567890",
"userName": "abcdef01234567890"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-08-16T03:34:54Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-08-16T03:36:12Z",
"eventSource": "vpc-lattice.amazonaws.com",
"eventName": "CreateService",
"awsRegion": "us-west-2",
"sourceIPAddress": "abcdef01234567890",
"userAgent": "abcdef01234567890",
"requestParameters": {
"name": "rates-service"
},
"responseElements": {
"name": "rates-service",
"id": "abcdef01234567890",
"arn": "arn:abcdef01234567890",
"status": "CREATE_IN_PROGRESS"
},
"requestID": "abcdef01234567890",
"eventID": "abcdef01234567890",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "abcdef01234567890",
"eventCategory": "Management"
}
```
The following example shows a CloudTrail event for the [DeleteService](https://docs.aws.amazon.com/vpc-lattice/latest/APIReference/API_DeleteService.html) operation.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "abcdef01234567890",
"arn": "arn:ABCXYZ123456",
"accountId": "abcdef01234567890",
"accessKeyId": "abcdef01234567890",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "abcdef01234567890",
"arn": "arn:aws:iam::AIDACKCEVSQ6C2EXAMPLE:role/Admin",
"accountId": "abcdef01234567890",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-10-27T17:42:36Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2022-10-27T17:56:41Z",
"eventSource": "vpc-lattice.amazonaws.com",
"eventName": "DeleteService",
"awsRegion": "us-east-1",
"sourceIPAddress": "72.21.198.64",
"userAgent": "abcdef01234567890",
"requestParameters": {
"serviceIdentifier": "abcdef01234567890"
},
"responseElements": {
"name": "test",
"id": "abcdef01234567890",
"arn": "arn:abcdef01234567890",
"status": "DELETE_IN_PROGRESS"
},
"requestID": "abcdef01234567890",
"eventID": "abcdef01234567890",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "abcdef01234567890",
"eventCategory": "Management"
}
```
For information about CloudTrail record contents, see [CloudTrail record contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html) in the *AWS CloudTrail User Guide*.