Skip to main content
AWS CloudWatch is AWSโ€™s service for monitoring and observing your applications and resources. This integration allows you to forward your deployment and audit logs from env zero directly to CloudWatch log groups.

โ€‹
Prerequisites

Before you begin, make sure you have:
  1. Enabled OIDC in your env zero organization.
  2. Configured an Identity provider as explained in Set up an AWS OIDC authentication Guide.

โ€‹
Setup

To allow env zero to send logs to CloudWatch, you need an IAM policy with the necessary permissions. This policy will be attached to an IAM Role you use for OIDC authentication.
The policy allows env zero to create and write to two log groups: env0-deployments and env0-audits.
Log Transporter Policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-deployments",
        "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-deployments:*",
        "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-audits",
        "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:env0-audits:*"
      ]
    }
  ]
}
Optional: Using a Log Group PrefixIf you manage multiple env zero organizations that log to the same AWS account, you can use a prefix to keep the logs separate. For example, a prefix like prod/ would create log groups named prod/env0-deployments and prod/env0-audits.To use a prefix, modify the Resource ARNs in the policy. For a prefix of prod/, your resource list would look like this:
"Resource": [
  "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-deployments",
  "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-deployments:*",
  "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-audits",
  "arn:aws:logs:<AWS_REGION>:<AWS_ACCOUNT_ID>:log-group:prod/env0-audits:*"
]

โ€‹
Self Configuration of CloudWatch Transporter

There are two ways to configure the integrations:

  1. โ€‹
    In the env zero app

In the organizationโ€™s integrations page, click on CloudWatch and fill the formโ€™s fields:
Log forwarding integration configuration form showing setup fields

  1. โ€‹
    Using environment variables

    In the env zero platform you will need to configure the following environment variables in any scope to forward the deployment logs. These are the relevant environment variables:
    Environment variable nameDescriptionMandatory
    ENV0_CLOUDWATCH_ROLE_ARNThe ARN of the IAM role associated with your OIDC providerYes
    ENV0_CLOUDWATCH_AWS_REGIONThe AWS region where your log groups will resideYes
    ENV0_CLOUDWATCH_SESSION_DURATIONThe OIDC token session duration in seconds. Defaults to 3600 (1 hour) if not set.No
    ENV0_CLOUDWATCH_LOG_GROUP_NAME_PREFIXAn optional prefix for your log group names. Must match the prefix used in your IAM policyNo
env zero sets the log group name according to the log type:

  1. โ€‹
    Audit Logs:

    • logGroupName - env0-audits

  2. โ€‹
    Deployment Logs:

    • logGroupName - env0-deployments
โŒ˜I