Skip to content

Set up Canva audit logs

How to set up an AWS S3 bucket for Canva audit logs.

Canva stores audit log data in an Amazon S3 bucket that your organization owns and manages. We add events to your S3 bucket every minute as a gzipped archive containing JSONL content. We store the files in hourly folders, in the format orgId/yyyy/MM/dd/HH. To let Canva send audit logs to your S3 bucket, Canva requires PutObject permission on the S3 bucket.

To start receiving audit logs, you need to:

  1. Open the Canva Audit logs configuration page.
  2. Create an Amazon S3 bucket.
  3. Grant Canva access to the S3 bucket.
  4. Save the S3 bucket details to your Canva account.

This article walks you through creating the required AWS resources and adding their details to your Canva account.

Open the Canva Audit logs configuration page

To make the process easier, we recommend you access the Canva Audit logs page before creating the AWS resources. This will let you input the required data during each step of the setup process. To access the Canva Audit logs settings:

  1. From the Canva homepage, go to Settings
  2. Under Organization settings, select Audit logs.
  3. Scroll down to the section AWS S3 bucket and role configuration.

Create an S3 bucket

To create an Amazon S3 Bucket for Canva audit logs:

  1. In a new tab or window, sign into the AWS Management Console.

  2. Open the S3 console.

  3. Select Create bucket.

  4. Under General configuration:

    1. If prompted, choose your preferred AWS Region.

    2. If prompted to select a Bucket type, select General purpose.

    3. Enter a Bucket name (for example: canva-audit-logs).

    4. Update the Canva Audit logs settings page:

      • Select the Region of the S3 bucket.
      • Copy the S3 bucket name into the S3 bucket name field.
  5. Under Object Ownership, select ACLs disabled (recommended).

  6. Under Block Public Access settings for this bucket, select Block all public access.

  7. Under Default encryption, configure the default encryption for the S3 bucket. If you select an option using AWS Key Management Service (KMS), choose or enter an AWS KMS key.

  8. (Optional) Update the remaining settings as desired or leave the default values.

  9. Click Create bucket.

If successful, you'll return to the S3 Buckets page with a banner confirming the creation of the bucket.

Make a note of the S3 bucket name. You'll need it when you grant Canva access to the S3 bucket.

Grant Canva access to the S3 bucket

Access to AWS services is managed through AWS Identity and Access Management (IAM). For audit logs, we only support IAM Role-based access.

You'll need to create a policy, then assign that policy to a role with limited access.

Create a policy using the AWS IAM console

  1. Open the IAM console.
  2. In the navigation pane, under Access management, select Policies.
  3. On the Policies page, select Create policy.
  4. On the Specify permissions page, you need to provide a permissions policy. The type of encryption your S3 bucket uses (SSE-S3, SSE-KMS, or DSSE-KMS) determines which policy you need:

<Tabs> <Tab name="SSE-S3"> 1) Change the Policy editor from Visual to JSON.

2) Replace the contents of the **Policy editor** with the following policy:

   ```json
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": ["s3:PutObject"],
         "Resource": "arn:aws:s3:::<audit-logs-s3-bucket-name>/*"
       }
     ]
   }
   ```

3) Replace `&lt;audit-logs-s3-bucket-name&gt;` with the name of the AWS S3 Bucket.

   For example, if you named the bucket `canva-audit-logs`, the **Resource** value would be `arn:aws:s3:::canva-audit-logs/*`.

4) Click **Next**.

5) On the **Review and create** page:

   1. Enter a **Policy Name** (such as: `canva-audit-logs-s3-upload`).

   2. Make sure the policy in **Permissions defined in this policy** has the correct S3 bucket name. If not, return to the **Specify permissions** page and update the policy.

   3. *(Optional)* Update **Tags** and **Description**; or leave them empty.

   4. Click **Create policy**.

</Tab>

<Tab name="SSE-KMS or DSSE-KMS"> 1. Change the Policy editor from Visual to JSON.

2. Replace the contents of the **Policy editor** with the following policy:

   ```json
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": ["s3:PutObject"],
         "Resource": "arn:aws:s3:::<audit-logs-s3-bucket-name>/*"
       },
       {
         "Action": "kms:GenerateDataKey",
         "Effect": "Allow",
         "Resource": "<kms-bucket-encryption-key-arn>"
       }
     ]
   }
   ```

3. Replace `&lt;audit-logs-s3-bucket-name&gt;` with the name of the AWS S3 Bucket.

   For example, if you named the bucket `canva-audit-logs`, the **Resource** value would be `arn:aws:s3:::canva-audit-logs/*`.

4. Replace `&lt;kms-bucket-encryption-key-arn&gt;` with the KMS key ARN using the format `arn:aws:kms:{Region}:{Account}:key/{KeyId}`.

5. Click **Next**.

6. On the **Review and create** page:

   1. Enter a **Policy Name** (such as: `canva-audit-logs-s3-upload`).

   2. Make sure the policy in **Permissions defined in this policy** has the correct S3 bucket name. If not, return to the **Specify permissions** page and update the policy.

   3. *(Optional)* Update **Tags** and **Description**; or leave them empty.

   4. Click **Create policy**.

</Tab> </Tabs>

If successful, you'll return to the IAM Policies page with a banner confirming the creation of the policy.

Create a role using the AWS IAM console

  1. Open the IAM console.

  2. In the navigation pane, under Access management, select Roles.

  3. On the Roles page, select Create role.

  4. On the Select trusted entity page, under Trusted entity type, select Custom trust policy.

  5. In another browser tab or window, visit the Canva Audit logs settings page to get the policy:

    1. From the Canva homepage, go to Settings.

    2. Under Organization settings, select Audit logs.

    3. Under Grant access to Amazon Web Services (AWS), copy the Trust policy.

      NOTE: The Trust policy on the Audit logs page is specific to your organization.

  6. Return to the AWS IAM Select trusted entity page and paste policy into the Custom trust policy editor.

  7. Click Next.

  8. On the Add permissions page, select the policy you created (for example: canva-audit-logs-s3-upload).

  9. Click Next.

  10. Enter a Role name (such as: canva-audit-logs-s3-upload-role).

  11. (Optional) Update Description and Tags, or leave them empty.

  12. Review Step 1: Select trusted entities and Step 2: Add permissions, making sure that the information is correct.

  13. Click Create Role.

If successful, you'll return to the IAM Roles page with a banner confirming the creation of the role.

Get the AWS role ARN

To get the AWS role ARN:

  1. On the IAM Roles page, find the role you created.
  2. Click the (hyperlinked) name of the role to view details about the role.
  3. Under Summary, copy the ARN.
  4. Return the Canva Audit logs settings page and paste the ARN into AWS role ARN.

Save the S3 bucket details to your Canva account

To save the details of the S3 bucket and IAM Role and start audit logging:

  1. Return to the Canva Audit logs page.

  2. In the section AWS S3 bucket and role configuration, add or check the following details:

    • Region: The region of the AWS S3 bucket. For example: US East (N.Virginia). For a list of AWS regions, visit AWS Documentation — Amazon Simple Storage Service endpoints and quotas.
    • AWS role ARN: The Amazon Resource Name ARN of the AWS Role Canva will use to access the S3 bucket. For example: arn:aws:iam:region:account-id:resource-id.
    • S3 bucket name: The name of your Canva audit logs S3 bucket. For example: my-canva-audit-logs-bucket.
    • S3 key prefix: An optional S3 key prefix. For example: bucket/canva/auditlogs.
  3. Click Save.

If successful, you'll receive and on-screen notification: AWS S3 bucket and role configuration saved. If your users are actively using Canva, audit logs will begin arriving in your S3 bucket within a few minutes.

Canva Developer Documentation SOP Site