2026/05/04 - Amazon CloudWatch Logs - 4 updated api methods
Changes Adding an additional optional deliverySourceConfiguration field to PutDeliverySource API. This enables customers to pass service-specific configurations through IngestionHub such as tracing enablement or sampling rates that will be propagated to the source resource.
{'configurationTemplates': {'deliverySourceConfiguration': [{'defaultValue': 'string',
'keyName': 'string',
'maxValue': 'double',
'minValue': 'double',
'supportedValues': ['string'],
'valueType': 'string '
'| '
'boolean '
'| '
'int '
'| '
'double '
'| '
'long'}],
's3TablesIntegration': {'datasourceName': 'string',
'datasourceType': 'string'}}}
Use this operation to return the valid and default values that are used when creating delivery sources, delivery destinations, and deliveries. For more information about deliveries, see CreateDelivery.
See also: AWS API Documentation
Request Syntax
client.describe_configuration_templates(
service='string',
logTypes=[
'string',
],
resourceTypes=[
'string',
],
deliveryDestinationTypes=[
'S3'|'CWL'|'FH'|'XRAY',
],
nextToken='string',
limit=123
)
string
Use this parameter to filter the response to include only the configuration templates that apply to the Amazon Web Services service that you specify here.
list
Use this parameter to filter the response to include only the configuration templates that apply to the log types that you specify here.
(string) --
list
Use this parameter to filter the response to include only the configuration templates that apply to the resource types that you specify here.
(string) --
list
Use this parameter to filter the response to include only the configuration templates that apply to the delivery destination types that you specify here.
(string) --
string
The token for the next set of items to return. The token expires after 24 hours.
integer
Use this parameter to limit the number of configuration templates that are returned in the response.
dict
Response Syntax
{
'configurationTemplates': [
{
'service': 'string',
'logType': 'string',
'resourceType': 'string',
'deliveryDestinationType': 'S3'|'CWL'|'FH'|'XRAY',
'defaultDeliveryConfigValues': {
'recordFields': [
'string',
],
'fieldDelimiter': 'string',
's3DeliveryConfiguration': {
'suffixPath': 'string',
'enableHiveCompatiblePath': True|False
}
},
'allowedFields': [
{
'name': 'string',
'mandatory': True|False
},
],
'allowedOutputFormats': [
'json'|'plain'|'w3c'|'raw'|'parquet',
],
'allowedActionForAllowVendedLogsDeliveryForResource': 'string',
'allowedFieldDelimiters': [
'string',
],
'allowedSuffixPathFields': [
'string',
],
'deliverySourceConfiguration': [
{
'keyName': 'string',
'valueType': 'string'|'boolean'|'int'|'double'|'long',
'defaultValue': 'string',
'supportedValues': [
'string',
],
'minValue': 123.0,
'maxValue': 123.0
},
],
's3TablesIntegration': {
'datasourceName': 'string',
'datasourceType': 'string'
}
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
configurationTemplates (list) --
An array of objects, where each object describes one configuration template that matches the filters that you specified in the request.
(dict) --
A structure containing information about the deafult settings and available settings that you can use to configure a delivery or a delivery destination.
service (string) --
A string specifying which service this configuration template applies to. For more information about supported services see Enable logging from Amazon Web Services services..
logType (string) --
A string specifying which log type this configuration template applies to.
resourceType (string) --
A string specifying which resource type this configuration template applies to.
deliveryDestinationType (string) --
A string specifying which destination type this configuration template applies to.
defaultDeliveryConfigValues (dict) --
A mapping that displays the default value of each property within a delivery's configuration, if it is not specified in the request.
recordFields (list) --
The default record fields that will be delivered when a list of record fields is not provided in a CreateDelivery operation.
(string) --
fieldDelimiter (string) --
The default field delimiter that is used in a CreateDelivery operation when the field delimiter is not specified in that operation. The field delimiter is used only when the final output delivery is in Plain, W3C, or Raw format.
s3DeliveryConfiguration (dict) --
The delivery parameters that are used when you create a delivery to a delivery destination that is an S3 Bucket.
suffixPath (string) --
This string allows re-configuring the S3 object prefix to contain either static or variable sections. The valid variables to use in the suffix path will vary by each log source. To find the values supported for the suffix path for each log source, use the DescribeConfigurationTemplates operation and check the allowedSuffixPathFields field in the response.
enableHiveCompatiblePath (boolean) --
This parameter causes the S3 objects that contain delivered logs to use a prefix structure that allows for integration with Apache Hive.
allowedFields (list) --
The allowed fields that a caller can use in the recordFields parameter of a CreateDelivery or UpdateDeliveryConfiguration operation.
(dict) --
A structure that represents a valid record field header and whether it is mandatory.
name (string) --
The name to use when specifying this record field in a CreateDelivery or UpdateDeliveryConfiguration operation.
mandatory (boolean) --
If this is true, the record field must be present in the recordFields parameter provided to a CreateDelivery or UpdateDeliveryConfiguration operation.
allowedOutputFormats (list) --
The list of delivery destination output formats that are supported by this log source.
(string) --
allowedActionForAllowVendedLogsDeliveryForResource (string) --
The action permissions that a caller needs to have to be able to successfully create a delivery source on the desired resource type when calling PutDeliverySource.
allowedFieldDelimiters (list) --
The valid values that a caller can use as field delimiters when calling CreateDelivery or UpdateDeliveryConfiguration on a delivery that delivers in Plain, W3C, or Raw format.
(string) --
allowedSuffixPathFields (list) --
The list of variable fields that can be used in the suffix path of a delivery that delivers to an S3 bucket.
(string) --
deliverySourceConfiguration (list) --
The schema of the delivery source configuration that is available for this log type. Each element describes a configuration that can be set when calling PutDeliverySource, including the configuration name, type, and default value.
(dict) --
A structure that describes a single configuration for a log type, including its name, value type, default value, and the range of supported values.
keyName (string) --
The name of the configuration.
valueType (string) --
The data type of the configuration value. Valid values are string, boolean, int, double, and long.
defaultValue (string) --
The default value of the configuration that is used when a value is not specified in a PutDeliverySource request.
supportedValues (list) --
The list of allowed values for the configuration. Empty for free-form configuration.
(string) --
minValue (float) --
The minimum numeric value allowed for the configuration. This applies only when the valueType is a numeric type.
maxValue (float) --
The maximum numeric value allowed for the configuration. This applies only when the valueType is a numeric type.
s3TablesIntegration (dict) --
The S3 Tables integration configuration for this configuration template, including the datasource name and type.
datasourceName (string) --
The name of the S3 Tables datasource.
datasourceType (string) --
The type of the S3 Tables datasource.
nextToken (string) --
The token for the next set of items to return. The token expires after 24 hours.
{'deliverySources': {'deliverySourceConfiguration': {'string': 'string'},
'status': 'ACTIVE | INACTIVE',
'statusReason': 'RESOURCE_DELETED'}}
Retrieves a list of the delivery sources that have been created in the account.
See also: AWS API Documentation
Request Syntax
client.describe_delivery_sources(
nextToken='string',
limit=123
)
string
The token for the next set of items to return. The token expires after 24 hours.
integer
Optionally specify the maximum number of delivery sources to return in the response.
dict
Response Syntax
{
'deliverySources': [
{
'name': 'string',
'arn': 'string',
'resourceArns': [
'string',
],
'service': 'string',
'logType': 'string',
'tags': {
'string': 'string'
},
'deliverySourceConfiguration': {
'string': 'string'
},
'status': 'ACTIVE'|'INACTIVE',
'statusReason': 'RESOURCE_DELETED'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
deliverySources (list) --
An array of structures. Each structure contains information about one delivery source in the account.
(dict) --
This structure contains information about one delivery source in your account. A delivery source is an Amazon Web Services resource that sends logs to an Amazon Web Services destination. The destination can be CloudWatch Logs, Amazon S3, or Firehose.
Only some Amazon Web Services services support being configured as a delivery source. These services are listed as Supported [V2 Permissions] in the table at Enabling logging from Amazon Web Services services.
To configure logs delivery between a supported Amazon Web Services service and a destination, you must do the following:
Create a delivery source, which is a logical object that represents the resource that is actually sending the logs. For more information, see PutDeliverySource.
Create a delivery destination, which is a logical object that represents the actual delivery destination. For more information, see PutDeliveryDestination.
If you are delivering logs cross-account, you must use PutDeliveryDestinationPolicy in the destination account to assign an IAM policy to the destination. This policy allows delivery to that destination.
Create a delivery by pairing exactly one delivery source and one delivery destination. For more information, see CreateDelivery.
You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.
name (string) --
The unique name of the delivery source.
arn (string) --
The Amazon Resource Name (ARN) that uniquely identifies this delivery source.
resourceArns (list) --
This array contains the ARN of the Amazon Web Services resource that sends logs and is represented by this delivery source. Currently, only one ARN can be in the array.
(string) --
service (string) --
The Amazon Web Services service that is sending logs.
logType (string) --
The type of log that the source is sending. For valid values for this parameter, see the documentation for the source service.
tags (dict) --
The tags that have been assigned to this delivery source.
(string) --
(string) --
deliverySourceConfiguration (dict) --
The map of key-value pairs that configure the delivery source.
(string) --
(string) --
status (string) --
The status of the delivery source. A delivery source can have the status ACTIVE or INACTIVE. Note: This value is defined for selective log types.
statusReason (string) --
The reason for the status of the delivery source. A status reason of RESOURCE_DELETED indicates that the resource associated with the delivery source has been deleted. Note: This value is defined for selective log types.
nextToken (string) --
The token for the next set of items to return. The token expires after 24 hours.
{'deliverySource': {'deliverySourceConfiguration': {'string': 'string'},
'status': 'ACTIVE | INACTIVE',
'statusReason': 'RESOURCE_DELETED'}}
Retrieves complete information about one delivery source.
See also: AWS API Documentation
Request Syntax
client.get_delivery_source(
name='string'
)
string
[REQUIRED]
The name of the delivery source that you want to retrieve.
dict
Response Syntax
{
'deliverySource': {
'name': 'string',
'arn': 'string',
'resourceArns': [
'string',
],
'service': 'string',
'logType': 'string',
'tags': {
'string': 'string'
},
'deliverySourceConfiguration': {
'string': 'string'
},
'status': 'ACTIVE'|'INACTIVE',
'statusReason': 'RESOURCE_DELETED'
}
}
Response Structure
(dict) --
deliverySource (dict) --
A structure containing information about the delivery source.
name (string) --
The unique name of the delivery source.
arn (string) --
The Amazon Resource Name (ARN) that uniquely identifies this delivery source.
resourceArns (list) --
This array contains the ARN of the Amazon Web Services resource that sends logs and is represented by this delivery source. Currently, only one ARN can be in the array.
(string) --
service (string) --
The Amazon Web Services service that is sending logs.
logType (string) --
The type of log that the source is sending. For valid values for this parameter, see the documentation for the source service.
tags (dict) --
The tags that have been assigned to this delivery source.
(string) --
(string) --
deliverySourceConfiguration (dict) --
The map of key-value pairs that configure the delivery source.
(string) --
(string) --
status (string) --
The status of the delivery source. A delivery source can have the status ACTIVE or INACTIVE. Note: This value is defined for selective log types.
statusReason (string) --
The reason for the status of the delivery source. A status reason of RESOURCE_DELETED indicates that the resource associated with the delivery source has been deleted. Note: This value is defined for selective log types.
{'deliverySourceConfiguration': {'string': 'string'}}
Response {'deliverySource': {'deliverySourceConfiguration': {'string': 'string'},
'status': 'ACTIVE | INACTIVE',
'statusReason': 'RESOURCE_DELETED'}}
Creates or updates a logical delivery source. A delivery source represents an Amazon Web Services resource that sends logs to an logs delivery destination. The destination can be CloudWatch Logs, Amazon S3, Firehose or X-Ray for sending traces.
To configure logs delivery between a delivery destination and an Amazon Web Services service that is supported as a delivery source, you must do the following:
Use PutDeliverySource to create a delivery source, which is a logical object that represents the resource that is actually sending the logs.
Use PutDeliveryDestination to create a delivery destination, which is a logical object that represents the actual delivery destination. For more information, see PutDeliveryDestination.
If you are delivering logs cross-account, you must use PutDeliveryDestinationPolicy in the destination account to assign an IAM policy to the destination. This policy allows delivery to that destination.
Use CreateDelivery to create a delivery by pairing exactly one delivery source and one delivery destination. For more information, see CreateDelivery.
You can configure a single delivery source to send logs to multiple destinations by creating multiple deliveries. You can also create multiple deliveries to configure multiple delivery sources to send logs to the same delivery destination.
Only some Amazon Web Services services support being configured as a delivery source. These services are listed as Supported [V2 Permissions] in the table at Enabling logging from Amazon Web Services services.
If you use this operation to update an existing delivery source, all the current delivery source parameters are overwritten with the new parameter values that you specify.
See also: AWS API Documentation
Request Syntax
client.put_delivery_source(
name='string',
resourceArn='string',
logType='string',
tags={
'string': 'string'
},
deliverySourceConfiguration={
'string': 'string'
}
)
string
[REQUIRED]
A name for this delivery source. This name must be unique for all delivery sources in your account.
string
[REQUIRED]
The ARN of the Amazon Web Services resource that is generating and sending logs. For example, arn:aws:workmail:us-east-1:123456789012:organization/m-1234EXAMPLEabcd1234abcd1234abcd1234
For the SECURITY_FINDING_LOGS logType, use a wildcard ARN for the hub resource. For Amazon Web Services Security Hub CSPM, use arn:aws:securityhub:us-east-1:111122223333:hub/* and for Amazon Web Services Security Hub, use arn:aws:securityhub:us-east-1:111122223333:hubv2/*
string
[REQUIRED]
Defines the type of log that the source is sending.
For Amazon Bedrock Agents, the valid values are APPLICATION_LOGS and EVENT_LOGS.
For Amazon Bedrock Knowledge Bases, the valid value is APPLICATION_LOGS.
For Amazon Bedrock AgentCore Runtime, the valid values are APPLICATION_LOGS, USAGE_LOGS and TRACES.
For Amazon Bedrock AgentCore Tools, the valid values are APPLICATION_LOGS, USAGE_LOGS and TRACES.
For Amazon Bedrock AgentCore Identity, the valid values are APPLICATION_LOGS and TRACES.
For Amazon Bedrock AgentCore Memory, the valid values are APPLICATION_LOGS and TRACES.
For Amazon Bedrock AgentCore Gateway, the valid values are APPLICATION_LOGS and TRACES.
For CloudFront, the valid value is ACCESS_LOGS.
For DevOps Agent, the valid value is APPLICATION_LOGS.
For Amazon CodeWhisperer, the valid value is EVENT_LOGS.
For Elemental MediaPackage, the valid values are EGRESS_ACCESS_LOGS and INGRESS_ACCESS_LOGS.
For Elemental MediaTailor, the valid values are AD_DECISION_SERVER_LOGS, MANIFEST_SERVICE_LOGS, and TRANSCODE_LOGS.
For Amazon EKS Auto Mode, the valid values are AUTO_MODE_BLOCK_STORAGE_LOGS, AUTO_MODE_COMPUTE_LOGS, AUTO_MODE_IPAM_LOGS, and AUTO_MODE_LOAD_BALANCING_LOGS.
For Entity Resolution, the valid value is WORKFLOW_LOGS.
For IAM Identity Center, the valid value is ERROR_LOGS.
For Network Firewall Proxy, the valid values are ALERT_LOGS, ALLOW_LOGS, and DENY_LOGS.
For Network Load Balancer, the valid value is NLB_ACCESS_LOGS.
For PCS, the valid values are PCS_SCHEDULER_LOGS, PCS_JOBCOMP_LOGS, and PCS_SCHEDULER_AUDIT_LOGS.
For Quick, the valid values are CHAT_LOGS and FEEDBACK_LOGS.
For Amazon Web Services RTB Fabric, the valid values is APPLICATION_LOGS.
For Amazon Q, the valid values are EVENT_LOGS and SYNC_JOB_LOGS.
For Amazon Web Services Security Hub CSPM, the valid value is SECURITY_FINDING_LOGS.
For Amazon Web Services Security Hub, the valid value is SECURITY_FINDING_LOGS.
For Amazon SES mail manager, the valid values are APPLICATION_LOGS and TRAFFIC_POLICY_DEBUG_LOGS.
For Amazon WorkMail, the valid values are ACCESS_CONTROL_LOGS, AUTHENTICATION_LOGS, WORKMAIL_AVAILABILITY_PROVIDER_LOGS, WORKMAIL_MAILBOX_ACCESS_LOGS, and WORKMAIL_PERSONAL_ACCESS_TOKEN_LOGS.
For Amazon VPC Route Server, the valid value is EVENT_LOGS.
dict
An optional list of key-value pairs to associate with the resource.
For more information about tagging, see Tagging Amazon Web Services resources
(string) --
(string) --
dict
A map of key-value pairs to configure the delivery source. Both keys and values must be between 1 and 255 characters in length. For example, {"samplingRate": "50"}.
(string) --
(string) --
dict
Response Syntax
{
'deliverySource': {
'name': 'string',
'arn': 'string',
'resourceArns': [
'string',
],
'service': 'string',
'logType': 'string',
'tags': {
'string': 'string'
},
'deliverySourceConfiguration': {
'string': 'string'
},
'status': 'ACTIVE'|'INACTIVE',
'statusReason': 'RESOURCE_DELETED'
}
}
Response Structure
(dict) --
deliverySource (dict) --
A structure containing information about the delivery source that was just created or updated.
name (string) --
The unique name of the delivery source.
arn (string) --
The Amazon Resource Name (ARN) that uniquely identifies this delivery source.
resourceArns (list) --
This array contains the ARN of the Amazon Web Services resource that sends logs and is represented by this delivery source. Currently, only one ARN can be in the array.
(string) --
service (string) --
The Amazon Web Services service that is sending logs.
logType (string) --
The type of log that the source is sending. For valid values for this parameter, see the documentation for the source service.
tags (dict) --
The tags that have been assigned to this delivery source.
(string) --
(string) --
deliverySourceConfiguration (dict) --
The map of key-value pairs that configure the delivery source.
(string) --
(string) --
status (string) --
The status of the delivery source. A delivery source can have the status ACTIVE or INACTIVE. Note: This value is defined for selective log types.
statusReason (string) --
The reason for the status of the delivery source. A status reason of RESOURCE_DELETED indicates that the resource associated with the delivery source has been deleted. Note: This value is defined for selective log types.