Each AWS service logs to either CloudWatch Logs or a specific location in an Amazon S3 bucket.
Note
Unless specifically stated, all log locations are local to the account that generated the logs, and are not aggregated into the central Logging account.
To find the default AMS CloudTrail trail names in SALZ and MALZ accounts, go to the AWS Console for CloudTrail and then to the Trails page and search for AMS. Because AMS resources have tags, you can find the trails this way. Example AMS CloudTrail tag:
Environment AMSInfrastructureTo access your logs, ensure that you have one of the required IAM roles and are in your AMS account. Then navigate to the directory shown.
| Service name | Log details | Log location | |
|---|---|---|---|
1 |
Amazon Aurora |
General, slow query, and error logs. |
CloudWatch LogGroup: /aws/rds/cluster/{ |
2 |
AWS CloudFormation (CFN) |
API call logging only. |
AWS CloudFormation API calls are documented via CloudTrail, which sends its logs to the CloudWatch LogGroup and then syncs the logs into an S3 bucket. Logs are retained for 14 days by default in the CloudWatch LogGroup, and are retained indefinitely in the S3 bucket. CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-ams-a{ Path: /AWSLogs/{ |
3 |
Amazon CloudFront (CloudFront) |
User request logging. CloudFront logging must be explicitly enabled. For information, see Enabling logging for supported services. |
S3 bucket: ams-a{ Path: AWS/RedShift/{ |
4 |
Amazon CloudWatch (CloudWatch) |
API call logging only. |
CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
5 |
Amazon Elastic Block Store (Amazon EBS) |
No logs are produced by the EBS service. |
Not applicable |
6 |
Amazon Elastic Compute Cloud (Amazon EC2) |
System and application logs. For information, see the Amazon Elastic Compute Cloud (Amazon EC2) - system level logs. |
CloudWatch Logs: /{ |
7 |
Amazon Elastic File System (Amazon EFS) |
API call logging only. |
CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
8 |
Elastic Load Balancing (ELB) |
Access and error log entries. Elastic load balancers log all requests sent to them, including requests that aren't routed to back-end instances. For example, if a client sends a malformed request, or there are no healthy instances to respond, the request is still logged. For more information about Elastic Load Balancing log entries, see
|
API call logs: CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ Access logs: S3 bucket: mc-a{ Path: aws/elbaccess |
9 |
Amazon OpenSearch Service (OpenSearch Service) |
Service error logs. You must explicitly enable OpenSearch logging. For information, see Enabling logging for supported services |
CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
10 |
Amazon ElastiCache |
API call logging only. |
CloudWatch LogGroup: //CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
11 |
Amazon GuardDuty | ||
12 |
Amazon Inspector | ||
13 |
Amazon Macie | ||
14 |
Amazon Redshift |
Connection, user, and activity logs. Logging is enabled by default when you create your Redshift cluster by invoking the Create Redshift cluster CT (ct-1malj7snzxrkr). For information, see Database Audit Logging. |
S3 bucket: ams-a{ Path: /AWS/RedShift/{ |
15 |
Amazon Relational Database Service (RDS) |
Logs specific to database type. You must explicitly enable RDS logging. For information, see Enabling logging for supported services You can only access MSSQL logs through a stored procedure; for information, see Archiving Log Files. |
CloudWatch LogGroup: /aws/rds/( |
16 |
Amazon S3 (S3) |
Bucket access logs. Each access log record provides details about a single access request such as the requester, bucket name, request time, request action, response status, and error code (if any). Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill. For more information about S3 Access Log entries, see S3 Server Access Log Format. |
S3 bucket: mc-a{ Path: /aws/s3access/{ S3 bucket [in the central Logging Account]: aws-landing-zone-s3-access-logs-{ Path: / |
17 |
Amazon Simple Email Service (SES) |
SES API service calls. |
CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
18 |
Amazon Virtual Private Cloud (VPC) |
VPC flow data (information about the IP traffic going to and from your VPC's network interfaces). |
CloudWatch LogGroup: /aws/vpcflow/{ |
19 |
Auto Scaling |
API call logging only. |
CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
20 |
AWS Certificate Manager | ||
21 |
AWS CodeDeploy |
Instance-specific deployment logs. |
On Instance |
22 |
AWS Config |
AWS Config API service calls. |
CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
Resource configuration changes, as tracked by AWS Config. |
S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ | ||
23 |
AWS Database Migration Service |
Database migration logs. For information, see
Introducing log management in AWS Database Migration Service |
Database migration console |
24 |
AWS Direct Connect (DX) |
API call logging only. |
CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{ Path: /AWSLogs/{ |
25 |
AWS Glacier | ||
26 |
AWS IAM (IAM) | ||
27 |
AWS Key Management Service | ||
28 |
AWS Management Console (console or AWS Console) | ||
29 |
AWS Simple Notification Service (SNS) | ||
30 |
AWS Simple Queueing Service (SQS) |
