Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Using vended logs to send AWS Elemental MediaTailor logs

PDF
RSS
Focus mode
Using vended logs to send AWS Elemental MediaTailor logs - AWS Elemental MediaTailor
Add permissionsCreate log delivery destinationsEnable vended logs in MediaTailorConfigure log delivery in CloudWatch Logs

You can use vended logs for greater flexibility and control over where to deliver logs that MediaTailor emits from your playback configuration.

With vended logs, MediaTailor sends all log activity associated with a configuration to Amazon CloudWatch Logs. CloudWatch Logs then sends the percent of logs that you specify to your chosen destination. Supported destinations are an Amazon CloudWatch Logs log group, Amazon S3 bucket, or Amazon Data Firehose stream.

Because vended logs are available at volume discount pricing, you could see cost savings compared to sending logs directly to CloudWatch Logs. For pricing, see Vended Logs on the Logs tab at Amazon CloudWatch Pricing.

To use vended logs, you must do the following:

  1. Add permissions.

  2. Create log delivery destinations.

  3. Configure log delivery in CloudWatch Logs.

  4. Enable vended logs in MediaTailor.

For more information about vended logs, see Enable logging from AWS services in the CloudWatch Logs user guide. MediaTailor supports V2 of vended logs.

Step 1: Add permissions for MediaTailor log delivery

The person who's setting up vended logs must have permissions to create the delivery destination, configure log delivery, and enable vended logs in MediaTailor. Use the following policies to ensure that you have the appropriate permissions to set up vended logs.

Policies for CloudWatch Logs and delivery destinations

The following sections in the Amazon CloudWatch Logs User Guide provide the policies that enable you to work with logs in CloudWatch Logs and your delivery destinations. If you send logs to multiple locations, you can combine the policy statements into one policy instead of creating multiple policies.

Policy for set up from the console

If you're setting up vended logs delivery through the console instead of the API or AWS CLI, you must have the following additional permissions in your policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowLogDeliveryActionsConsoleCWL",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:111122223333:log-group:*"
            ]
        },
        {
            "Sid": "AllowLogDeliveryActionsConsoleS3",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowLogDeliveryActionsConsoleFH",
            "Effect": "Allow",
            "Action": [
                "firehose:ListDeliveryStreams",
                "firehose:DescribeDeliveryStream"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
Policy for vended logs in MediaTailor

To create, view, or modify vended logs delivery in MediaTailor, you must have the following permissions in your policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ServiceLevelAccessForLogDelivery",
            "Effect": "Allow",
            "Action": [
                "mediatailor:AllowVendedLogDeliveryForResource"],
            "Resource": "arn:aws:mediatailor:region:111122223333:playbackConfiguration/*"
        }
    ]
}

For information about adding permissions and working with policies, see Identity and Access Management for AWS Elemental MediaTailor.

Step 2: Create delivery destinations for MediaTailor logs

Create the resources where your logs will be sent. Record the ARN of the resource for use in configuring the log delivery in a later step.

CloudWatch Logs log group delivery destination

Use one of the following for help creating a log group.

Amazon S3 bucket delivery destination

Use one of the following for help creating a bucket.

  • For the console, SDKs, and CLI, see Create a bucket in the Amazon Simple Storage Service User Guide.

  • For the API, see CreateBucket in the Amazon Simple Storage Service API Reference.

Firehose stream delivery destination

For help creating a stream, see Create a Firehose stream from console in the Amazon Data Firehose Developer Guide.

Step 3: Enable vended logs for the MediaTailor playback configuration

Create or update the playback configuration that will be sending logs to the delivery destination that you created in the previous step. Record the name of the configuration for use in configuring the log delivery in a later step.

  • To enable vended logs through the console, using Creating a configuration or Editing a configuration Editing a configuration to access the Logging settings. For Logging strategies, choose Vended logs.

  • To enable vended logs through the API, you must have an existing configuration. Use ConfigureLogsForPlaybackConfiguration to add the logging strategy Vended logs.

If you're using the legacy MediaTailor logging strategy of sending logs directly to CloudWatch Logs and want to migrate to vended logs, see Migrating the logging strategy.

Important

If you change the log strategy from Legacy CloudWatch to vended logs, MediaTailor will make this change as soon as you save the updates. You will stop receiving logs until you have fully configured vended logging.

Step 4: Configure log delivery in CloudWatch Logs

In CloudWatch Logs, you must create three elements to represent the pieces of log delivery. These elements are described in detail in CreateDelivery in the Amazon CloudWatch Logs API Reference. The high-level steps to configure the delivery with the CloudWatch Logs API are as follows.

To configure log delivery in CloudWatch Logs (API)

  1. Use PutDeliverySource to add the source of logs.

    A DeliverySource represents the playback configuration that's generating the logs. You need the name of the playback configuration to create the DeliverySource.

  2. Use PutDeliveryDestination to add the destination where logs will be written.

    A DeliveryDestination represents the delivery destination. You need the ARN of the log group, bucket, or stream to create the DeliveryDestination.

  3. Use PutDeliveryDestinationPolicy if you are delivering logs across accounts.

    If the delivery destination is in a different account from the playback configuration, you need a DeliveryDestinationPolicy. This policy allows CloudWatch Logs to deliver logs to the DeliveryDestination.

  4. Use CreateDelivery to link the DeliverySource to the DeliveryDestination.

    A Delivery represents the connection between the DeliverySource and DeliveryDestination.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.