> ## Documentation Index > Fetch the complete documentation index at: https://docs.envzero.com/llms.txt > Use this file to discover all available pages before exploring further. # Amazon S3 Logs > Forward env zero deployment and audit logs to Amazon S3 using OIDC authentication and an IAM policy that grants PutObject access to the target bucket. [Amazon S3 (Simple Storage Service)](https://aws.amazon.com/s3/) is a secure and scalable object storage service from AWS. This integration allows you to forward your deployment and audit logs from env zero directly to an S3 bucket for long-term storage, analysis, or compliance purposes. ## Prerequisites Before you begin, make sure you have: 1. [Enabled OIDC](/guides/integrations/oidc-integrations/#enabling-oidc-token-availability) in your env zero organization. 2. Configured an Identity provider as explained in [Set up an AWS OIDC authentication Guide](/guides/integrations/oidc-integrations/oidc-with-aws). ## Setup To allow env zero to send logs to S3, you need an IAM policy with the necessary permissions. This policy will be [attached to an IAM Role](/guides/integrations/oidc-integrations/oidc-with-aws/#assign-an-iam-role) you use for OIDC authentication.\ The policy allows env zero to create and write to your S3 bucket. ```json Log Transporter Policy theme={null} { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::/*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::" } ] } ``` **Log Directory Structure** Logs will be stored in your bucket with the following directory structure and file name format: `/////_<5_random_chars>.log` * ``: Your custom path (Optional) * ``: Will be either `env0-deployments` or `env0-audits` accordingly ## Self Configuration of S3 Transporter There are two ways to configure the integrations: 1. ### In the env zero app In the organization's integrations page, click on Amazon S3 and fill the form's fields: Log forwarding integration configuration form showing setup fields 2. ### Using environment variables In the env zero platform you will need to configure the following environment variables in [any scope](/guides/admin-guide/variables/#variables-and-scopes-in-env0) to forward the **deployment logs**. These are the relevant environment variables: | Environment variable name | Description | Mandatory | | :----------------------------- | :-------------------------------------------------------------------------------- | :-------- | | `ENV0_S3_LOG_ROLE_ARN` | The ARN of the IAM role associated with your OIDC provider. | Yes | | `ENV0_S3_LOG_BUCKET_NAME` | The name of the S3 bucket where logs will be stored. | Yes | | `ENV0_S3_LOG_AWS_REGION` | The AWS region where your S3 bucket is located. | Yes | | `ENV0_S3_LOG_BUCKET_PATH` | An optional path (prefix) within the bucket to store the logs. | No | | `ENV0_S3_LOG_SESSION_DURATION` | The OIDC token session duration in seconds. Defaults to 3600 (1 hour) if not set. | No | env zero sets a default bucket path according to the log type: 1. ### Audit Logs: * `bucket path` - `env0-audits` 2. ### Deployment Logs: * `bucket path` - `env0-deployments` ## Next steps * [Logs Forwarding Overview](/guides/integrations/logs-forwarding) - See all supported log forwarding destinations. * [Amazon CloudWatch](/guides/integrations/logs-forwarding/cloudwatch) - Alternative: forward logs to CloudWatch log groups. * [Splunk Logs](/guides/integrations/logs-forwarding/splunk) - Alternative: forward logs to Splunk.