Enabling AWS Config logs

When you enable AWS Config logs, you must specify a destination for the log data.

About this task

Users must have the following permissions to enable AWS Config logs for delivery to Amazon S3.

  • ec2:ModifyVerifiedAccessInstanceLoggingConfiguration on the Config instance
  • logs:CreateLogDelivery, logs:DeleteLogDelivery, logs:GetLogDelivery, logs:ListLogDeliveries, and logs:UpdateLogDelivery on all resources
  • s3:GetBucketPolicy and s3:PutBucketPolicy on the destination bucket

Procedure

  1. Open the Amazon VPC console at Amazon VPC.
  2. In the navigation pane, select AWS Config.
  3. Select AWS Config.
  4. On the AWS Config logging configuration tab, select Modify AWS Config logging configuration.
  5. Enable Deliver to Amazon S3.
  6. Enter the name, owner, and prefix of the destination bucket.
  7. Click Modify AWS Config logging configuration.