# Moving Amazon CloudWatch Logs to Amazon Simple Storage Service (S3)
Moving your Amazon CloudWatch logs to Amazon Simple Storage Service (S3) could improve storage costs. Follow these directions to transfer and delete your CloudWatch logs.

## Prerequisites
- S3 bucket in the same region as your log group  
- IAM role with S3 bucket write permissions

## Process

### Step 1: Setting up the S3 bucket
1. Sign in to the [Amazon S3 console](https://console.aws.amazon.com/s3/).  
1. If necessary, change the Region to match the Region where your CloudWatch logs are stored. 
1. Choose **Create bucket**.
1. Enter a name for **Bucket Name**. 
1. Select the Region where your CloudWatch logs are stored.
1. Choose **Create**.

![Create Amazon S3 bucket](/imgs/createbucket.jpg)

### Step 2: Setting up permissions in the S3 bucket
1. Choose the newly created S3 bucket to view its permissions. 
1. On the permissions tab, find the **Bucket Policy Editor**.
1. In the **Bucket Policy Editor**, add the following policy.  
    1. Change `my-exported-logs` to the name of your S3 bucket.
    1. Specify the Region endpoint for Principal.
    1. Enter your `AccountId`.

    ```
        {
        "Version": "2012-10-17",
        "Statement": [
        {
            "Action": "s3:GetBucketAcl",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-exported-logs",
            "Principal": { "Service": "logs.Region.amazonaws.com" },
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": [
                        "AccountId"
                    ]
                },
                "ArnLike": {
                        "aws:SourceArn": [
                            "arn:aws:logs:Region:AccountId:<YOUR_LOG_GROUP_NAME>:"
                        ]
                }
            }
        },
        {
            "Action": "s3:PutObject" ,
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-exported-logs/",
            "Principal": { "Service": "logs.Region.amazonaws.com" },
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control",
                    "aws:SourceAccount": [
                        "AccountId1"
                    ]
                },
                "ArnLike": {
                        "aws:SourceArn": [
                            "arn:aws:logs:Region:AccountId:<YOUR_LOG_GROUP_NAME>:"
                        ]
                }
            }
        }
        ]
    }
    ```
1. Save your changes.

### Step 3: Exporting CloudWatch logs to the S3 bucket
1. Open the AWS Management Console and go to the CloudWatch service. 
1. From the navigation, choose **Log groups**.
    ![Choose Log groups](/imgs/chooseloggroups.jpg)
1. Select the log group where the logs you want to export are stored. If you want to export multiple log groups, you can repeat these steps.
1. Select the CloudWatch log generated by your application.
1. Select the **Actions** menu and choose **Export data to S3**.
   ![Select Log group](/imgs/selectloggroup.jpg)
1. Choose a date range for the exported logs and note the time range used. 
1. Choose the S3 bucket to which you want to export the logs. You should see a **Successfully created export task** notification.
    ![Successfully created export task](/imgs/successfullycreatedexporttask.jpg)
1. *(Optional)* Monitor the progress in the **Export tasks** tab.
    ![Monitor export tasks](/imgs/monitorexporttasks.jpg)
1. Once the export task completes, verify the exported logs in the specified S3 bucket. Repeat the process for each additional log group.
    ![Verify exported logs in S3 bucket](/imgs/verifyexportins3bucket.jpg)
    If your export fails, go to the export status page and check the error status message. 

### Step 4: Deleting CloudWatch logs after export
1. From the AWS Console, open AWS CLI in the same region as your logs. It should open a terminal inside your console.  
    ![AWS CLI terminal](/imgs/awscliterminal.jpg)
1. Run the following command to delete the exported logs from the specified Log group. 
    1. Replace the timestamp with the time range previously noted. Use an online epoch converter to convert your time range into epoch time. For example, [EpochConverter](https://www.epochconverter.com).
    1. Change the `log-group-name` to your log group name.  
    > **Warning**  
    > Use caution when deleting data. Data deletion is permanent.
    ```
    aws logs filter-log-events \
    --log-group-name */aws/api-gateway/fhir-service-dev* \
    --start-time *1640995200000* \
    --end-time *1643462400000* \
    --query 'events[*].eventId' \
    --output text | \
    xargs -I {} aws logs delete-log-events \
    --log-group-name CloudwatchAccessLogGroup-dev-Arn \
    --log-event-id {}
    ```
    No response from the terminal means the deletion was successful. 
    ![AWS CloudShell](/imgs/awscloudshell.jpg)  
    If you receive an error, the deletion was unsuccessful. Check that all steps were completed properly. If you are unable to resolve the error, visit the [AWS Knowledge Center.](https://repost.aws/knowledge-center)
1. Verify the logs were deleting by going to the log group and searching for logs in the specified time range.  
    ![Search logs by time range](/imgs/searchlogsbytimerange.jpg)  
    If the search returns no logs, then the logs were successfully deleted.

:tada: Congratulations! You've moved your CloudWatch logs to an S3 bucket.