How to Enable Logging on Every AWS Service in Existence (Circa 2021)

Matt Fuller
16 min readJan 3, 2021

Cloud security best practices, as well as most compliance programs, require that logging be enabled for all in-scope services. However, that simple requirement — “enable logging” — comes with many followup questions. Is CloudTrail enough? How do I turn on logging for all these services? Aren’t logs collected by default? What. even. is. a. log?

In AWS, logging, like most tasks, isn’t as simple as it seems it could be, due to an inconsistent use of defaults, differing destination logging services, and a variety of configuration options, sometimes hidden in layers of submenus and API parameters. I guess we can blame the pizza teams for this too.

After using a handful of AWS services, you’ll notice that some send their logs to CloudWatch Logs (e.g. Lambda), others go to S3 (e.g. ELB and CloudFront), and still others wind up going to Kinesis (e.g. CloudFront’s new realtime logs).

And so I entered a rabbit hole of Googling, AWS documentation, and spinning up test services with names like “deletethisasap” in order to write the definitive guide to answer the question “how do I enable logging?” for every supported AWS service (although I make no guarantees; AWS released five new services just as I was typing this intro).

TL;DR

If you’re just looking for a list of services: Here.

Prelude

Aside from the first item (“The AWS Account Itself”), the list of AWS services below is specifically regarding logging system-level activity (e.g. access logs to S3 buckets, request logs to ELBs, etc.) and not API-level activity of the services themselves, which go to CloudTrail. There are many services not listed here which do log their API activity to CloudTrail, but do not support any additional logging.

The data below is sourced from hundreds of pages of AWS documentation. Where possible, I’ve included direct links to the source. If you note any inaccuracies or missing services, please email me.

The AWS Account Itself

Let’s start with the single most important logging service: CloudTrail. CloudTrail monitors AWS API activity across nearly every AWS service (although there are a…

--

--

Matt Fuller

Founder of @CloudSploit , acquired by @AquaSecTeam . Former Infra / Security / Manager @Adobe , @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident