AWS S3

Amazon S3 (Simple Storage Service) is a secure and scalable object storage service from AWS. This integration allows you to forward your deployment and audit logs from env0 directly to an S3 bucket for long-term storage, analysis, or compliance purposes.

Prerequisites

Before you begin, make sure you have:

1. Enabled OIDC in your env0 organization.
2. Configured an Identity provider as explained in Set up an AWS OIDC authentication Guide.

Setup

To allow env0 to send logs to CloudWatch, you need an IAM policy with the necessary permissions. This policy will be attached to an IAM Role you use for OIDC authentication.
The policy allows env0 to create and write to two log groups: env0-deployments and env0-audits.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation"
            ],
            "Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>"
        }
    ]
}

📘

Log Directory Structure

Logs will be stored in your bucket with the following directory structure and file name format:

<bucketPath>/<logType>/<year>/<month>/<day>/<HH:mm:ss>_<5_random_chars>.log

<bucketPath>: Your custom path ( Optional ).

<logType>: Will be either env0-deployments or env0-auditsaccordingly.

Self Configuration of CloudWatch Transporter

In the env0 platform you will need to configure the following environment variables in any scope to forward the deployment logs. These are the relevant environment variables: