Troubleshooting access logging in AWS Elemental MediaStore - AWS Elemental MediaStore

End of support notice: On November 13, 2025, AWS will discontinue support for AWS Elemental MediaStore. After November 13, 2025, you will no longer be able to access the MediaStore console or MediaStore resources. For more information, visit this blog post.

Troubleshooting access logging in AWS Elemental MediaStore

When AWS Elemental MediaStore access logs do not appear in Amazon CloudWatch, refer to the following table for potential causes and resolutions.

Note

Be sure to enable AWS CloudTrail Logs to assist with the troubleshooting process.

Symptom The Problem Might Be... Try This...
You don't see any CloudTrail events, even though CloudTrail logs are enabled. The IAM role either does not exist or it has the incorrect name, permissions, or trust policy. Create a role with the correct name, permissions, and trust policy. See Setting up permissions for Amazon CloudWatch.
You submitted a DescribeContainer API request, but the response shows that the AccessLoggingEnabled parameter has a value of False. In addition, you don't see any CloudTrail events for the MediaStoreAccessLogs role making a successful DescribeLogGroup, CreateLogGroup, DescribeLogStream, or CreateLogStream call. The IAM role either does not exist or it has the incorrect name, permissions, or trust policy. Create a role with the correct name, permissions, and trust policy. See Setting up permissions for Amazon CloudWatch.
Access logging is not enabled on the container. Enable access logs for the container. See Enabling access logging for a container.

On the CloudTrail console, you see an event with an access denied error related to the MediaStoreAccessLogs role. The CloudTrail event might include lines such as the following:

"eventSource": "logs.amazonaws.com",

"errorCode": "AccessDenied",

"errorMessage": "User: arn:aws:sts::111122223333:assumed-role/MediaStoreAccessLogs/MediaStoreAccessLogsSession is not authorized to perform: logs:DescribeLogGroups on resource: arn:aws:logs:us-west-2:111122223333:log-group::log-stream:",

 The IAM role doesn't have the correct permissions for AWS Elemental MediaStore. Update the IAM role to have the correct permissions and trust policy. See Setting up permissions for Amazon CloudWatch.
You don't see any logs for an entire container or containers. Your account might have exceeded the CloudWatch quota for log groups per account per Region. See the quotas for log groups in the Amazon CloudWatch Logs User Guide. On the CloudWatch console, determine if your account has met the CloudWatch quota for log groups. If necessary, request a quota increase.
You see some logs in CloudWatch, but not all logs that you expect to see. Your account might have exceeded the CloudWatch quota for transactions per second per account per Region. See the quotas for PutLogEvents in the Amazon CloudWatch Logs User Guide. Request a quota increase for CloudWatch transactions per second per account per Region.