Ship Cloud logs to Amazon S3

Itential provides log shipping to deliver your application logs directly to your Amazon S3 bucket. This service automatically replicates logs from Itential’s secure infrastructure to your designated storage location, giving you direct access to your logs for analysis, monitoring, and compliance.

How it works

Log shipping uses AWS S3 cross-account replication to securely transfer logs from Itential’s source bucket to your destination bucket. This provides:

Security — Logs are encrypted in transit and at rest.
Reliability — Automatic replication with AWS’s built-in durability.
Performance — Direct S3-to-S3 transfer without intermediate processing.
Cost efficiency — No additional compute resources required.

Available log types

Web server logs

HTTP access logs from your Itential application
Request/response data and performance metrics
Available for all environments (dev, staging, production)

Prerequisites

To set up log shipping, you need:

An AWS account and destination S3 bucket
An AWS Key Management Service (KMS) customer-managed key (if you use encryption)
Permissions to configure IAM policies and KMS permissions
Permissions to configure S3 bucket policies to allow Itential to send logs to your bucket You don’t need to create or configure any IAM roles. Setup only requires updating resource policies on your S3 bucket and KMS key to trust Itential’s replication role.

Set up log shipping

Contact your Customer Success Manager

Initial setup requires coordination with the Itential team. Contact your Customer Success Manager (CSM) to begin. If you don’t know who to contact, email customersuccess@itential.com or open an Itential Support Desk ticket.

Send your S3 details to Itential

Provide the following information to your CSM:

Destination bucket region — For example, us-east-1
Destination bucket account ID — Your AWS account ID
Destination bucket name — Your S3 bucket name
Destination bucket KMS key — Optional, only if using AWS KMS encryption

Itential will provide you with:

ITENTIAL_ACCOUNT_ID — Itential’s AWS account ID
ITENTIAL_ROLE_ID — Itential’s replication service role name

Enable versioning on your destination bucket

Versioning must be enabled on your S3 bucket for replication to work.

Replication will not function without versioning enabled on the destination bucket.

$ aws s3api put-bucket-versioning \
>   --bucket YOUR_BUCKET_NAME \
>   --versioning-configuration Status=Enabled

Configure the S3 bucket policy

This policy grants Itential’s replication service permission to write logs to your bucket and manage versioning settings. Apply the following policy to your destination S3 bucket, replacing placeholder values with those provided by Itential:

1 {
2     "Version": "2012-10-17",
3     "Id": "ItentialLogReplicationPolicy",
4     "Statement": [
5         {
6             "Sid": "AllowItentialReplication",
7             "Effect": "Allow",
8             "Principal": {
9                 "AWS": "arn:aws:iam::ITENTIAL_ACCOUNT_ID:role/service-role/ITENTIAL_ROLE_ID"
10             },
11             "Action": [
12                 "s3:ReplicateObject",
13                 "s3:ObjectOwnerOverrideToBucketOwner"
14             ],
15             "Resource": "arn:aws:s3:::CUSTOMER_BUCKET_NAME/*"
16         },
17         {
18             "Sid": "AllowBucketOperations",
19             "Effect": "Allow",
20             "Principal": {
21                 "AWS": "arn:aws:iam::ITENTIAL_ACCOUNT_ID:role/service-role/ITENTIAL_ROLE_ID"
22             },
23             "Action": [
24                 "s3:GetBucketVersioning",
25                 "s3:PutBucketVersioning"
26             ],
27             "Resource": "arn:aws:s3:::CUSTOMER_BUCKET_NAME"
28         }
29     ]
30 }

Configure the KMS key policy (if using encryption)

If your destination bucket uses KMS encryption, add the following statement to your KMS key policy. Replace the placeholder values with those provided by Itential:

1 {
2   "Sid": "Allow use of the key for Itential replication",
3   "Effect": "Allow",
4   "Principal": {
5     "AWS": "arn:aws:iam::ITENTIAL_ACCOUNT_ID:role/service-role/ITENTIAL_ROLE_ID"
6   },
7   "Action": [
8     "kms:Encrypt",
9     "kms:GenerateDataKey"
10   ],
11   "Resource": "*"
12 }

Log file structure

Once replication is active, logs are organized in your bucket as follows:

YOUR_BUCKET_NAME/
└── iap-webserver-logs/
    ├── your-environment-dev/
    │   └── YYYY/MM/DD/
    ├── your-environment-stg/
    │   └── YYYY/MM/DD/
    └── your-environment-prod/
        └── YYYY/MM/DD/

Verify replication

Check that logs are being delivered using the AWS CLI:

$ # List recent log files
$ aws s3 ls s3://YOUR_BUCKET_NAME/iap-webserver-logs/ --recursive --human-readable
$  
$ # Download a sample log file
$ aws s3 cp s3://YOUR_BUCKET_NAME/iap-webserver-logs/path/to/logfile.log ./sample.log

New logs are typically replicated within minutes of generation.

Data retention

Itential storage — Logs are retained in Itential’s infrastructure according to your service agreement and contractual data retention policies.
Your storage — You control retention policies for logs delivered to your bucket. Configure S3 lifecycle policies based on your requirements.

Security

All log data is encrypted in transit using AWS’s secure replication mechanisms.
Access to your destination bucket remains under your complete control.
Itential’s replication role has write-only access to your designated bucket.
No Itential personnel have access to your destination bucket or its contents.

Troubleshoot

Replication isn’t working

Verify that bucket versioning is enabled, check that policy syntax and account IDs are correct, and confirm the KMS key policy includes Itential’s replication role.

Access denied errors

Verify your AWS account ID matches the configuration provided to Itential, and that the bucket policy principal matches Itential’s role ARN exactly.

Missing logs

Log shipping can take up to 24 hours after initial setup to begin delivering logs. Verify your bucket region matches the configuration you provided to Itential.

Get support

Technical issues or general questions — Submit a ticket through the Itential Service Desk.
AWS-specific questions — Consult AWS documentation or your internal AWS support team.