AMS aggregated service logs

Each AWS service logs to either CloudWatch Logs or a specific location in an Amazon S3 bucket.

Note

Unless specifically stated, all log locations are local to the account that generated the logs, and are not aggregated into the central Logging account.

To find the default AMS CloudTrail trail names in SALZ and MALZ accounts, go to the AWS Console for CloudTrail and then to the Trails page and search for AMS. Because AMS resources have tags, you can find the trails this way. Example AMS CloudTrail tag:


Environment	  AMSInfrastructure

To access your logs, ensure that you have one of the required IAM roles and are in your AMS account. Then navigate to the directory shown.

Multi-Account Landing Zone

AMS multi-account landing zone Aggregated Service Logs
	Service name	Log details	Log location
1	Amazon Aurora	General, slow query, and error logs.	CloudWatch LogGroup: /aws/rds/cluster/{`database_name`}/{`log_name`}
2	AWS CloudFormation (CFN)	API call logging only.	AWS CloudFormation API calls are documented via CloudTrail, which sends its logs to the CloudWatch LogGroup and then syncs the logs into an S3 bucket. Logs are retained for 14 days by default in the CloudWatch LogGroup, and are retained indefinitely in the S3 bucket. CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-ams-a{`account_ID`}-log-management-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
3	Amazon CloudFront (CloudFront)	User request logging. CloudFront logging must be explicitly enabled. For information, see Enabling logging for supported services.	S3 bucket: ams-a{`account_ID`}-log-management-{`region`} Path: AWS/RedShift/{`CloudFront distribution ID`}
4	Amazon CloudWatch (CloudWatch)	API call logging only.	CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
5	Amazon Elastic Block Store (Amazon EBS)	No logs are produced by the EBS service.	Not applicable
6	Amazon Elastic Compute Cloud (Amazon EC2)	System and application logs. For information, see the Amazon Elastic Compute Cloud (Amazon EC2) - system level logs.	CloudWatch Logs: /{`instance ID`}
7	Amazon Elastic File System (Amazon EFS)	API call logging only.	CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
8	Elastic Load Balancing (ELB)	Access and error log entries. Elastic load balancers log all requests sent to them, including requests that aren't routed to back-end instances. For example, if a client sends a malformed request, or there are no healthy instances to respond, the request is still logged. For more information about Elastic Load Balancing log entries, see Classic Load Balancers: Access log entries. Application Load Balancers: Access log entries. Network Load Balancers: Access log entries.	API call logs: CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/ Access logs: S3 bucket: mc-a{`account_ID`}-logs{`region`} Path: aws/elbaccess
9	Amazon OpenSearch Service (OpenSearch Service)	Service error logs. You must explicitly enable OpenSearch logging. For information, see Enabling logging for supported services	CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
10	Amazon ElastiCache	API call logging only.	CloudWatch LogGroup: //CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
11	Amazon GuardDuty
12	Amazon Inspector
13	Amazon Macie
14	Amazon Redshift	Connection, user, and activity logs. Logging is enabled by default when you create your Redshift cluster by invoking the Create Redshift cluster CT (ct-1malj7snzxrkr). For information, see Database Audit Logging.	S3 bucket: ams-a{`account_ID`}-log-management-{`region`} Path: /AWS/RedShift/{`CloudFront Distribution ID`}
15	Amazon Relational Database Service (RDS)	Logs specific to database type. You must explicitly enable RDS logging. For information, see Enabling logging for supported services You can only access MSSQL logs through a stored procedure; for information, see Archiving Log Files.	CloudWatch LogGroup: /aws/rds/(`instance` or `cluster`)/{`database_name`}/{`log_name`}
16	Amazon S3 (S3)	Bucket access logs. Each access log record provides details about a single access request such as the requester, bucket name, request time, request action, response status, and error code (if any). Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill. For more information about S3 Access Log entries, see S3 Server Access Log Format.	S3 bucket: mc-a{`account_ID`}-log-management-{`region`} Path: /aws/s3access/{`bucket_name`} S3 bucket [in the central Logging Account]: aws-landing-zone-s3-access-logs-{`account_ID`}-{`region`} Path: /
17	Amazon Simple Email Service (SES)	SES API service calls.	CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
18	Amazon Virtual Private Cloud (VPC)	VPC flow data (information about the IP traffic going to and from your VPC's network interfaces).	CloudWatch LogGroup: /aws/vpcflow/{`VPC_ID`}
19	Auto Scaling	API call logging only.	CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
20	AWS Certificate Manager	API call logging only.
21	AWS CodeDeploy	Instance-specific deployment logs.	On Instance
22	AWS Config	AWS Config API service calls.	CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
22	AWS Config	Resource configuration changes, as tracked by AWS Config.	S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/Config/
23	AWS Database Migration Service	Database migration logs. For information, see Introducing log management in AWS Database Migration Service.	Database migration console
24	AWS Direct Connect (DX)	API call logging only.	CloudWatch LogGroup: /CloudTrail/Landing-Zone-Logs S3 bucket [in the central Logging Account]: aws-landing-zone-logs-{`account_ID`}-{`region`} Path: /AWSLogs/{`account_ID`}/CloudTrail/
25	AWS Glacier
26	AWS IAM (IAM)
27	AWS Key Management Service
28	AWS Management Console (console or AWS Console)
29	AWS Simple Notification Service (SNS)
30	AWS Simple Queueing Service (SQS)

Single-Account Landing Zone

AMS single-account landing zone Aggregated Service Logs
	Service name	Log details	Log location
1	Amazon Aurora	General, slow query, and error logs.	CloudWatch LogGroup: /aws/rds/cluster/{`database_name`}/{`log_name`}
2	Amazon CloudFormation (CloudFormation or CFN)	API call logging only.	CloudFormation API calls are documented via CloudTrail, which sends its logs to the CloudWatch LogGroup and then syncs the logs into an S3 bucket. CloudWatch LogGroup: /aws/ams/cloudtrail S3 bucket: ams-a{`account_ID`}-log-management-{`region`}
3	Amazon CloudFront (CloudFront)	User request logging. You must explicitly enable CloudFront logging. For information, see Enabling logging for supported services	S3 bucket: ams-a{`account_ID`}-log-management-{`region`} Path: AWS/RedShift/{`CloudFront_distribution_ID`}
4	Amazon CloudWatch (CloudWatch)	API call logging only.	CloudWatch LogGroup: /aws/ams/cloudtrail
5	Amazon Elastic Block Store (EBS)	No logs are produced by the EBS service.	Not applicable
6	Amazon Elastic Compute Cloud (EC2)	System and application logs. For information, see the Amazon Elastic Compute Cloud (Amazon EC2) - system level logs.	CloudWatch Logs: /{`instance_ID`}
7	Amazon Elastic File System (Amazon EFS)	API call logging only.	CloudWatch LogGroup: /aws/ams/cloudtrail
8	Elastic Load Balancing (ELB)	Access and error log entries. Elastic load balancers log all requests sent to them, including requests that aren't routed to back-end instances. For example, if a client sends a malformed request, or there are no healthy instances to respond, the request is still logged. For more information about elastic load balancer log entries, see Classic Load Balancers: Access log entries. Application Load Balancers: Access log entries. Network Load Balancers: Access log entries.	CloudWatch LogGroup: /aws/ams/cloudtrail S3 bucket: mc-a{`account_ID`}-logs-{`region`} Path: aws/elbaccess
9	Amazon OpenSearch Service (OpenSearch Service)	Service error logs. You must explicitly enable OpenSearch logging. For information, see Enabling logging for supported services	CloudWatch LogGroup: /aws/ams/cloudtrail
10	Amazon ElastiCache	API call logging only.	CloudWatch LogGroup: /aws/ams/cloudtrail
11	Amazon GuardDuty
12	Amazon Inspector
13	Amazon Macie
14	Amazon Redshift	Connection, user, and activity logs. Logging is enabled by default when you create your Redshift cluster by invoking the Create Redshift cluster CT (ct-1malj7snzxrkr). For information, see Database Audit Logging.	S3 bucket: ams-a{`account_ID`}-log-management-{`region`} Path: /AWS/RedShift/{`CloudFront_Distribution_ID`}
15	Amazon Relational Database Service (RDS)	Logs specific to database type. RDS logging must be explicitly enabled. For information, see Enabling logging for supported services You can only access MSSQL logs through a stored procedure; for information, see Archiving Log Files.	CloudWatch LogGroup: /aws/rds/(instance\|cluster)/{database name}/{log name}
16	Amazon S3 (S3)	Bucket access logs. Each access log record provides details about a single access request, such as: requester, bucket name, request time, request action, response status, and error code (if any). Access log information can be useful in security and access audits; it can also help you learn about your customer base and understand your Amazon S3 bill. For more information on S3 Access Log entries, see S3 Server Access Log Format.	S3 bucket: mc-a{`account_ID`}-log-management-{`region`} Path: /aws/s3access/{`bucket_name`}
17	Amazon Simple Email Service (SES)	SES API service calls.	CloudWatch LogGroup: /aws/ams/cloudtrail S3 bucket: ams-a{`account_ID`}-log-management-{`region`} Path: AWS/CloudTrail/AWSLogs/{`account_ID`}/CloudTrail/{`region`}
18	Amazon Virtual Private Cloud (VPC)	VPC flow data (information about the IP traffic going to and from your VPC's network interfaces).	CloudWatch LogGroup: /aws/vpcflow/{vpc_id}
19	Auto Scaling	API call logging only.	CloudWatch LogGroup: /aws/ams/cloudtrail
20	AWS Certificate Manager	API call logging only.	CloudWatch LogGroup: /aws/ams/cloudtrail
21	AWS CodeDeploy	Instance specific deployment logs.	On instance
22	AWS Config	AWS Config API service calls.	CloudWatch LogGroup: /aws/ams/cloudtrail S3 bucket: ams-a{`account_ID`}-log-management-{`region`} Path: AWS/CloudTrail/AWSLogs/{`account_ID`}/CloudTrail/{`region`}
23	AWS Database Migration Service	Database migration logs. For information, see Introducing log management in AWS Database Migration Service.	Database migration console
24	AWS Direct Connect (DX)	API call logging only.	CloudWatch LogGroup: /aws/ams/cloudtrail
25	AWS Glacier
26	AWS IAM (IAM)
27	AWS Key Management Service
28	AWS Management Console (console or AWS Console)
29	AWS Simple Notification Service (SNS)
30	AWS Simple Queueing Service (SQS)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Accessing your logs

AMS shared services logs