--- title: Amazon S3 Destination description: Learn how to configure the Amazon S3 destination. breadcrumbs: Docs > Observability Pipelines > Destinations > Amazon S3 Destination --- # Amazon S3 Destination {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} Available for: {% icon name="icon-logs" /%} Logs {% callout %} The Amazon S3 destination is in Preview. Contact your account manager for access. {% /callout %} ## Overview{% #overview %} Use the Amazon S3 destination to send logs in JSON or Parquet format to Amazon S3. See Automatically generated Parquet schema. You can also route logs to Snowflake using the Amazon S3 destination. **Note**: If you want to send logs to an S3 bucket, and later be able to [rehydrate](https://docs.datadoghq.com/logs/log_configuration/rehydrating.md) them for analysis and investigation in Datadog, use the [Datadog Archives](https://docs.datadoghq.com/observability_pipelines/destinations/datadog_archives.md) destination. ## Set up an Amazon S3 bucket{% #set-up-an-amazon-s3-bucket %} ### Create an Amazon S3 bucket{% #create-an-amazon-s3-bucket %} 1. Navigate to [Amazon S3 buckets](https://s3.console.aws.amazon.com/s3/home). 1. Click **Create bucket**. 1. Enter a descriptive name for your bucket. 1. Do not make your bucket publicly readable. 1. Optionally, add tags. 1. Click **Create bucket**. ### Set up an IAM policy that allows Workers to write to the S3 bucket{% #set-up-an-iam-policy-that-allows-workers-to-write-to-the-s3-bucket %} 1. Navigate to the [IAM console](https://console.aws.amazon.com/iam/). 1. Select **Policies** in the left side menu. 1. Click **Create policy**. 1. Click **JSON** in the **Specify permissions** section. 1. Copy the below policy and paste it into the **Policy editor**. Replace `/` with the information for the S3 bucket you created in the previous section. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "DatadogOPUpload", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3::://*" } ] } ``` 1. Click **Next**. 1. Enter a descriptive policy name. 1. Optionally, add tags. 1. Click **Create policy**. {% tab title="Docker" %} #### Create an IAM user or role{% #create-an-iam-user-or-role %} Create an IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) or [role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) and attach the policy to it. {% /tab %} {% tab title="Amazon EKS" %} #### Create a service account{% #create-a-service-account %} [Create a service account](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html) to use the policy you created above. {% /tab %} {% tab title="Linux (APT)" %} #### Create an IAM user or role{% #create-an-iam-user-or-role %} Create an IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) or [role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) and attach the policy to it. {% /tab %} {% tab title="Linux (RPM)" %} #### Create an IAM user or role{% #create-an-iam-user-or-role %} Create an IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) or [role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) and attach the policy to it. {% /tab %} ## Set up the destination for your pipeline{% #set-up-the-destination-for-your-pipeline %} Set up the Amazon S3 destination and its environment variables when you create a pipeline. The information below is configured in the pipelines UI. 1. Enter your S3 bucket name. If you configured Log Archives, it's the name of the bucket you created earlier. 1. Enter the AWS region the S3 bucket is in. 1. (Optional) Enter the key prefix. - Prefixes are useful for partitioning objects. For example, you can use a prefix as an object key to store objects under a particular directory. If using a prefix for this purpose, it must end in `/` to act as a directory path; a trailing `/` is not automatically added. - See [template syntax](https://docs.datadoghq.com/observability_pipelines/destinations.md#template-syntax) if you want to route logs to different object keys based on specific fields in your logs. - **Notes**: - Datadog recommends that you start your prefixes with the directory name and without a lead slash (`/`). For example, `app-logs/` or `service-logs/`. - Do **not** use the same S3 prefix as a [Datadog Archives](https://docs.datadoghq.com/observability_pipelines/destinations/datadog_archives.md) destination. The Amazon S3 destination writes files in a different format and having both file types in the same prefix can result in rehydration issues. 1. Select the storage class for your S3 bucket in the **Storage Class** dropdown menu. 1. Select the encoding you want to use in the **Encoding** dropdown menu (**JSON** or **Parquet**). - **Note**: For **Parquet**, the schema is generated per batch and can vary. See Automatically generated Parquet schema. 1. Select a compression algorithm in the **Compression - Algorithm** dropdown menu. If you selected: - **Parquet**: Datadog recommends `snappy` or a low-compression level if you choose `zstd`. - **JSON**: Datadog recommends `gzip`. ### Optional settings{% #optional-settings %} #### Batching{% #batching %} 1. Enter a maximum batching size and select the unit (**MB** or **GB**) in the dropdown menu. If not configured, the default is `100` MB. 1. Enter a batching timeout in seconds. If not configured, the default is `900` seconds. #### AWS authentication{% #aws-authentication %} Select an AWS authentication option. If you are only using the user or role you created earlier for authentication, do not select **Assume role**. Select **Assume role** only if the user or role you created earlier needs to assume a different role to access the AWS resource. The assumed role's permissions must be explicitly defined.If you select **Assume role**: 1. Enter the ARN of the IAM role you want to assume. - **Note:** The user or role you created earlier must have permission to assume this role so that the Worker can authenticate with AWS. 1. (Optional) Enter the assumed role session name and external ID. #### Buffering{% #buffering %} Toggle the switch to enable **Buffering Options**. Enable a configurable buffer on your destination to ensure intermittent latency or an outage at the destination doesn't create immediate backpressure, and allow events to continue to be ingested from your source. Disk buffers can also increase pipeline durability by writing data to disk, ensuring buffered data persists through a Worker restart. See [Destination buffers](https://docs.datadoghq.com/observability_pipelines/scaling_and_performance/buffering_and_backpressure.md#destination-buffers) for more information. - If left unconfigured, your destination uses a memory buffer with a capacity of 500 events. - To configure a buffer on your destination: 1. Select the buffer type you want to set (**Memory** or **Disk**). 1. Enter the buffer size and select the unit. 1. Maximum memory buffer size is 128 GB. 1. Maximum disk buffer size is 500 GB. 1. In the **Behavior on full buffer** dropdown menu, select whether you want to **block** events or **drop new events** when the buffer is full. ### Set secrets{% #set-secrets %} These are the defaults used for secret identifiers and environment variables. **Note**: If you enter secret identifiers and then choose to use environment variables, the environment variable is the identifier entered and prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for a password identifier, the environment variable for that password is `DD_OP_PASSWORD_1`. {% tab title="Secrets Management" %} There are no secret identifiers to configure. {% /tab %} {% tab title="Environment Variables" %} There are no environment variables to configure. {% /tab %} ## Route logs to Snowflake using the Amazon S3 destination{% #route-logs-to-snowflake-using-the-amazon-s3-destination %} You can route logs from Observability Pipelines to Snowflake using the Amazon S3 destination by configuring Snowpipe in Snowflake to automatically ingest those logs. Snowpipe continuously monitors your S3 bucket for new files and automatically ingests them into your Snowflake tables, ensuring near real-time data availability for analytics or further processing. When logs are collected by Observability Pipelines, they are written to an S3 bucket. To set this up: 1. [Set up a pipeline](https://docs.datadoghq.com/observability_pipelines/configuration/set_up_pipelines.md) to use Amazon S3 as the log destination. Use the configuration detailed in Set up the destination for your pipeline. 1. Set up Snowpipe in Snowflake. See [Automating Snowpipe for Amazon S3](https://docs.snowflake.com/en/user-guide/data-load-snowpipe-auto-s3) for instructions. ## How the destination works{% #how-the-destination-works %} ### AWS Authentication{% #aws-authentication-1 %} The Observability Pipelines Worker uses the standard AWS credential provider chain for authentication. See [AWS SDKs and Tools standardized credential providers](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html) for more information. #### Permissions{% #permissions %} The Observability Pipelines Worker requires these policy permissions to send logs to Amazon S3: - `s3:PutObject` ### Automatically generated Parquet schema{% #automatically-generated-parquet-schema %} The Observability Pipelines Worker collects a batch of events, generates a schema for those events, and then flushes the batch to S3. The schema can vary between batches because the schema is based on the current batch of events only. ### Event batching{% #event-batching %} A batch of events is flushed when one of these parameters is met. See [event batching](https://docs.datadoghq.com/observability_pipelines/destinations.md#event-batching) for more information. | Max Events | Max Bytes | Timeout (seconds) | | ---------- | ----------- | ----------------- | | None | 100,000,000 | 900 |