Loading...
Loading...
Runs SQL queries on CloudWatch Logs data exported as Apache Iceberg tables in S3 Tables. Covers VPC Flow Logs, WAF logs, CloudFront access logs, Route 53 resolver logs, Network Firewall logs, EKS audit logs, Verified Access logs, SES logs, VPC Lattice logs, Step Functions logs, NLB access logs, and 20+ other AWS vended data sources. Applies when analyzing network traffic, investigating security incidents, querying exported logs with SQL, enabling S3 Tables integration, configuring log export, correlating logs with other data, or running Athena queries on the aws-cloudwatch table bucket. Trigger phrases: query logs with SQL, analyze logs in Athena, SQL on VPC flow logs, investigate network traffic, run SQL on exported logs, enable S3 Tables for CloudWatch, correlate logs, historical log analysis, set up log querying.
npx skill4agent add aws/agent-toolkit-for-aws querying-aws-cloudwatchaws-cloudwatch| User intent | Use this skill? | Alternative |
|---|---|---|
| Run SQL across large volumes of log data | Yes | — |
| Correlate logs with S3 metadata or other tables | Yes — join across catalogs | — |
| Quick log search / pattern matching | No | CloudWatch Logs Insights (faster for ad-hoc) |
| Real-time log streaming/tailing | No | CloudWatch Logs console or |
| Set up alarms on log patterns | No | CloudWatch Metric Filters / Alarms |
| Query historical logs before integration was enabled | No | CloudWatch Logs (no backfill in S3 Tables) |
| Data Source | Namespace pattern | Common use case |
|---|---|---|
| VPC Flow Logs | | Network traffic analysis, rejected connections |
| WAF Logs | | Blocked requests, rule hit analysis |
| CloudFront Access Logs | | CDN traffic patterns, error rates |
| Route 53 Resolver Query Logs | | DNS query analysis |
| Network Firewall Logs | | Firewall rule hits, dropped traffic |
| EKS Audit Logs | | Kubernetes API audit trail |
| Verified Access Logs | | Zero-trust access decisions |
| SES Mail Logs | | Email delivery/bounce tracking |
| VPC Lattice Access Logs | | Service-to-service access patterns |
| Step Functions Logs | | Workflow execution debugging |
| Global Accelerator Flow Logs | | Global network traffic |
| NLB Access Logs | | Load balancer request tracing |
| Shield Logs | | DDoS mitigation events |
| Cognito Logs | | Auth/identity operations |
| ElastiCache Logs | | Redis slow log, engine log |
| SageMaker Logs | | ML training/inference events |
| WorkMail Audit Logs | | Email security/compliance |
| Bedrock Agent Logs | | AI agent invocations |
| Client VPN Logs | | VPN connection tracking |
| Entity Resolution Logs | | Record matching operations |
| MediaPackage Access Logs | | Streaming delivery metrics |
| MediaTailor Logs | | Ad insertion events |
| Transfer Family Logs | | SFTP/FTPS file transfer tracking |
| Site-to-Site VPN Logs | | VPN tunnel diagnostics |
Note: This table lists the 24 most commonly queried data sources. The integration supports 43+ AWS vended data sources in total. Useon thelist-namespacesbucket to discover all available data sources in your account. Namespace patterns follow the conventionaws-cloudwatch.<service>__<type>
# Check if the aws-cloudwatch table bucket exists
aws s3tables list-table-buckets --region <REGION> \
--query "tableBuckets[?name=='aws-cloudwatch']"aws s3tables list-namespaces --table-bucket-arn arn:aws:s3tables:<REGION>:<ACCOUNT>:bucket/aws-cloudwatch --region <REGION>
aws s3tables list-tables --table-bucket-arn arn:aws:s3tables:<REGION>:<ACCOUNT>:bucket/aws-cloudwatch --namespace <NAMESPACE> --region <REGION>aws observabilityadmin create-s3-table-integration \
--region <REGION> \
--encryption '{"SseAlgorithm": "aws:kms", "KmsKeyArn": "<KMS_KEY_ARN>"}' \
--role-arn <SERVICE_ROLE_ARN>aws logs associate-source-to-s3-table-integration \
--region <REGION> \
--integration-arn <INTEGRATION_ARN> \
--data-source '{"name": "<source-name>", "type": "<source-type>"}'⚠️ Warning: Wildcard association delivers all current and future data sources to S3 Tables. Use specific associations for tighter control over what log data lands in queryable tables.
aws logs associate-source-to-s3-table-integration \
--region <REGION> \
--integration-arn <INTEGRATION_ARN> \
--data-source '{"name": "*", "type": "*"}'s3tablescatalogaws lakeformation grant-permissions \
--principal DataLakePrincipalIdentifier=<ROLE_ARN> \
--resource '{"Table": {"CatalogId": "<ACCOUNT>:s3tablescatalog/aws-cloudwatch", "DatabaseName": "<NAMESPACE>", "Name": "<TABLE>"}}' \
--permissions DESCRIBE SELECT \
--region <REGION>"s3tablescatalog/aws-cloudwatch"."<namespace>"."<table>"get-tablesaws glue get-tables --catalog-id "<ACCOUNT>:s3tablescatalog/aws-cloudwatch" --database-name "<namespace>" --region <REGION>SELECT srcaddr, dstaddr, dstport, protocol, packets, bytes
FROM "s3tablescatalog/aws-cloudwatch"."amazon_vpc__flow"."<table>"
WHERE action = 'REJECT'
ORDER BY bytes DESC
LIMIT 50;SELECT timestamp, action, terminatingRuleId, httpSourceId
FROM "s3tablescatalog/aws-cloudwatch"."aws_waf__logs"."<table>"
WHERE action = 'BLOCK'
ORDER BY timestamp DESC
LIMIT 50;SELECT f.srcaddr, f.dstaddr, f.bytes, j.key, j.record_type
FROM "s3tablescatalog/aws-cloudwatch"."amazon_vpc__flow"."<table>" f
JOIN "s3tablescatalog/aws-s3"."b_<bucket>"."journal" j
ON f.srcaddr = j.source_ip_address
WHERE j.record_type = 'CREATE'
AND f.action = 'ACCEPT';get-tables| Error | Cause | Fix |
|---|---|---|
| Integration not created | Run |
| Bucket exists but no namespaces | No data sources associated, or no log traffic since association | Associate sources; generate traffic |
| S3 Tables not registered in Glue | Enable integration: S3 console > Table buckets > Enable integration |
| Missing Lake Formation grants or IAM permissions | See Security Considerations below |
| Empty results | Logs only flow after association; no backfill | Confirm association exists and log source is actively generating data |
| Schema mismatch / column not found | Log type schema updated by AWS | Run |
logs.amazonaws.comaws:SourceAccountaws:SourceArn{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<ACCOUNT>"
},
"ArnLike": {
"aws:SourceArn": ["arn:aws:logs:<REGION>:<ACCOUNT>:log-group:<LOG_GROUP_NAME>"]
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["logs:integrateWithS3Table"],
"Resource": ["arn:aws:logs:<REGION>:<ACCOUNT>:log-group:<LOG_GROUP_NAME>"],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "<ACCOUNT>"
}
}
}
]
}{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableSystemTablesKeyUsage",
"Effect": "Allow",
"Principal": {"Service": "systemtables.cloudwatch.amazonaws.com"},
"Action": ["kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt"],
"Resource": "arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY_ID>",
"Condition": {"StringEquals": {"aws:SourceAccount": "<ACCOUNT>"}}
},
{
"Sid": "EnableS3TablesMaintenanceKeyUsage",
"Effect": "Allow",
"Principal": {"Service": "maintenance.s3tables.amazonaws.com"},
"Action": ["kms:GenerateDataKey", "kms:Decrypt"],
"Resource": "arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY_ID>",
"Condition": {"StringLike": {"kms:EncryptionContext:aws:s3:arn": "<TABLE_OR_TABLE_BUCKET_ARN>/*"}}
}
]
}srcaddrsource_ip_addresshttpRequest*/*StartQueryExecutionGetQueryResultsGrantPermissionsRevokePermissions