Access logs for Amazon VPC Lattice
Access logs capture detailed information about your VPC Lattice services and resource
configurations. You can use these access logs to analyze traffic patterns and audit all of
the services in the network. For VPC Lattice services, we publish VpcLatticeAccessLogs and for
resource configurations, we publish VpcLatticeResourceAccessLogs which needs to be
configured separately.
Access logs are optional and are disabled by default. After you enable access logs, you can disable them at any time.
Pricing
Charges apply when access logs are published. Logs that AWS natively publishes on
your behalf are called vended logs. For more
information about pricing for vended logs, see Amazon CloudWatch Pricing
Contents
IAM permissions required to enable access logs
To enable access logs and send the logs to their destinations, you must have the following actions in the policy attached to the IAM user, group, or role that you are using.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "ManageVPCLatticeAccessLogSetup", "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries", "vpc-lattice:CreateAccessLogSubscription", "vpc-lattice:GetAccessLogSubscription", "vpc-lattice:UpdateAccessLogSubscription", "vpc-lattice:DeleteAccessLogSubscription", "vpc-lattice:ListAccessLogSubscriptions" ], "Resource": [ "*" ] } ] }
For more information, see Adding and removing IAM identity permissions in the AWS Identity and Access Management User Guide.
After you’ve updated the policy attached to the IAM user, group, or role that you are using, go to Enable access logs.
Access log destinations
You can send access logs to the following destinations.
Amazon CloudWatch Logs
-
VPC Lattice typically delivers logs to CloudWatch Logs within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
-
A resource policy is created automatically and added to the CloudWatch log group if the log group does not have certain permissions. For more information, see Logs sent to CloudWatch Logs in the Amazon CloudWatch User Guide.
-
You can find access logs that are sent to CloudWatch under Log Groups in the CloudWatch console. For more information, see View log data sent to CloudWatch Logs in the Amazon CloudWatch User Guide.
Amazon S3
-
VPC Lattice typically delivers logs to Amazon S3 within 6 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
-
A bucket policy will be created automatically and added to your Amazon S3 bucket if the bucket does not have certain permissions. For more information, see Logs sent to Amazon S3 in the Amazon CloudWatch User Guide.
-
Access logs that are sent to Amazon S3 use the following naming convention:
[bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/AccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz -
VpcLatticeResourceAccessLogs that are sent to Amazon S3 use the following naming convention:
[bucket]/[prefix]/AWSLogs/[accountId]/VpcLattice/ResourceAccessLogs/[region]/[YYYY/MM/DD]/[resource-id]/[accountId]_VpcLatticeResourceAccessLogs_[region]_[resource-id]_YYYYMMDDTHHmmZ_[hash].json.gz
Amazon Data Firehose
-
VPC Lattice typically delivers logs to Firehose within 2 minutes. However, keep in mind that actual log delivery time is on a best effort basis and there may be additional latency.
-
A service-linked role is automatically created that grants VPC Lattice permission to send access logs to Amazon Data Firehose. For automatic role creation to succeed, users must have permission for the
iam:CreateServiceLinkedRoleaction. For more information, see Logs sent to Amazon Data Firehose in the Amazon CloudWatch User Guide. -
For more information about viewing the logs sent to Amazon Data Firehose, see Monitoring Amazon Kinesis Data Streams in the Amazon Data Firehose Developer Guide.
Enable access logs
Complete the following procedure to configure access logs to capture and deliver access logs to the destination that you choose.
Enable access logs using the console
You can enable access logs for a service network, a service, or a resource configuration during creation. You can also enable access logs after you create a service network, service, or resource configuration as described in the following procedure.
To create a basic service using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
Select the service network, service, or resource configuration.
-
Choose Actions, Edit log settings.
-
Turn on the Access logs toggle switch.
-
Add a delivery destination for your access logs as follows:
-
Select CloudWatch Log group and choose a log group. To create a log group, choose Create a log group in CloudWatch.
-
Select S3 bucket and enter the S3 bucket path, including any prefix. To search your S3 buckets, choose Browse S3.
-
Select Kinesis Data Firehose delivery stream and choose a delivery stream. To create a delivery stream, choose Create a delivery stream in Kinesis.
-
-
Choose Save changes.
Enable access logs using the AWS CLI
Use the CLI command create-access-log-subscription
Access log contents
The following table describes the fields of an access log entry.
| Field | Description | Format |
|---|---|---|
hostHeader
|
The authority header of the request. |
string |
sslCipher
|
The OpenSSL name for the set of ciphers used to establish the client TLS connection. |
string |
serviceNetworkArn
|
The service network ARN. |
arn:aws:vpc-lattice: |
resolvedUser
|
The ARN of the user when authentication is enabled and authentication is done. |
null | ARN | "Anonymous" | "Unknown" |
authDeniedReason
|
The reason that access is denied when authentication is enabled. |
null | "Service" | "Network" | "Identity" |
requestMethod
|
The method header of the request. |
string |
targetGroupArn
|
The target host group to which the target host belongs. |
string |
tlsVersion
|
The TLS version. |
TLSv |
userAgent
|
The user-agent header. |
string |
ServerNameIndication
|
[HTTPS only] The value set on ssl connection socket for Server Name Indication (SNI). |
string |
destinationVpcId
|
The destination VPC ID. |
vpc- |
sourceIpPort
|
The IP address and :port of the source. |
|
targetIpPort
|
The IP address and port of the target. |
|
serviceArn
|
The service ARN. |
arn:aws:vpc-lattice: |
sourceVpcId
|
The source VPC ID. |
vpc- |
requestPath
|
The path of the request. |
LatticePath?: |
startTime
|
The request start time. |
|
protocol
|
The protocol. Currently either HTTP/1.1 or HTTP/2. |
string |
responseCode
|
The HTTP response code. Only the response code for the final headers are logged. For more information, see Troubleshoot access logs. |
integer |
bytesReceived
|
The body and header bytes received. |
integer |
bytesSent
|
The body and header bytes sent. |
integer |
duration
|
Total duration in milliseconds of the request from the start time to the last byte out. |
integer |
requestToTargetDuration
|
Total duration in milliseconds of the request from the start time to the last byte sent to the target. |
integer |
responseFromTargetDuration
|
Total duration in milliseconds of the request from the first byte read from the target host to the last byte sent to the client. |
integer |
grpcResponseCode
|
The gRPC response code. For more information, see Status codes and their use in gRPC |
integer |
callerPrincipal
|
The authenticated principal. |
string |
callerX509SubjectCN
|
The subject name (CN). |
string |
callerX509IssuerOU
|
The issuer (OU). |
string |
callerX509SANNameCN
|
The issuer alternative (Name/CN). |
string |
callerX509SANDNS
|
The subject alternative name (DNS). |
string |
callerX509SANURI
|
The subject alternative name (URI). |
string |
sourceVpcArn
|
The ARN of the VPC where the request originated. |
arn:aws:ec2: |
Example
The following is an example log entry.
{
"hostHeader": "example.com",
"sslCipher": "-",
"serviceNetworkArn": "arn:aws:vpc-lattice:us-west-2:123456789012:servicenetwork/svn-1a2b3c4d",
"resolvedUser": "Unknown",
"authDeniedReason": "null",
"requestMethod": "GET",
"targetGroupArn": "arn:aws:vpc-lattice:us-west-2:123456789012:targetgroup/tg-1a2b3c4d",
"tlsVersion": "-",
"userAgent": "-",
"serverNameIndication": "-",
"destinationVpcId": "vpc-0abcdef1234567890",
"sourceIpPort": "178.0.181.150:80",
"targetIpPort": "131.31.44.176:80",
"serviceArn": "arn:aws:vpc-lattice:us-west-2:123456789012:service/svc-1a2b3c4d",
"sourceVpcId": "vpc-0abcdef1234567890",
"requestPath": "/billing",
"startTime": "2023-07-28T20:48:45Z",
"protocol": "HTTP/1.1",
"responseCode": 200,
"bytesReceived": 42,
"bytesSent": 42,
"duration": 375,
"requestToTargetDuration": 1,
"responseFromTargetDuration": 1,
"grpcResponseCode": 1
}Resource access log contents
The following table describes the fields of a resource access log entry.
| Field | Description | Format |
|---|---|---|
serviceNetworkArn
|
The service network ARN. |
arn: |
serviceNetworkResourceAssociationId
|
The service network resource ID. |
|
vpcEndpointId
|
The endpoint ID that was used to access the resource. |
string |
sourceVpcArn
|
The source VPC ARN or the VPC from where connection was initiated. |
string |
resourceConfigurationArn
|
The ARN of the resource configuration that was accessed. |
string |
protocol
|
The protocol used to communicate to the resource configuration. Currently only tcp is supported. |
string |
sourceIpPort
|
The IP address and port of the source which initiated the connection. |
|
destinationIpPort
|
The IP address and port against which the connection was initiated. This will be the IP of SN-E/SN-A. |
|
gatewayIpPort
|
The IP address and port used by the resource gateway to access the resource. |
|
resourceIpPort
|
The IP address and port of the resource. |
|
Example
The following is an example log entry.
{
"eventTimestamp": "2024-12-02T10:10:10.123Z",
"serviceNetworkArn": "arn:aws:vpc-lattice:us-west-2:1234567890:servicenetwork/sn-1a2b3c4d",
"serviceNetworkResourceAssociationId": "snra-1a2b3c4d",
"vpcEndpointId": "vpce-01a2b3c4d",
"sourceVpcArn": "arn:aws:ec2:us-west-2:1234567890:vpc/vpc-01a2b3c4d",
"resourceConfigurationArn": "arn:aws:vpc-lattice:us-west-2:0987654321:resourceconfiguration/rcfg-01a2b3c4d",
"protocol": "tcp",
"sourceIpPort": "172.31.23.56:44076",
"destinationIpPort": "172.31.31.226:80",
"gatewayIpPort": "10.0.28.57:49288",
"resourceIpPort": "10.0.18.190:80"
}Troubleshoot access logs
This section contains an explanation of the HTTP error codes that you may see in access logs.
| Error code | Possible causes |
|---|---|
|
HTTP 400: Bad Request |
|
|
HTTP 403: Forbidden |
Authentication has been configured for the service, but the incoming request is not authenticated or authorized. |
|
HTTP 404: Non Existent Service |
You're trying to connect to a service that does not exist or is not registered to the right service network. |
|
HTTP 500: Internal Server Error |
VPC Lattice has encountered an error, such as failure to connect to targets. |
|
HTTP 502: Bad Gateway |
VPC Lattice has encountered an error. |
