Send Vercel Audit Logs to S3 before compliance reviews get messy
Vercel expanded Audit Logs to more than 400 team activity events and moved delivery into Vercel Drains, giving Enterprise teams a cleaner path to custom HTTP endpoints or Amazon S3.
Confirmed: Vercel expanded Audit Logs to more than 400 unique team activity events on June 30, 2026, and now delivers those events through Vercel Drains. Enterprise teams can export audit activity to custom HTTPS endpoints or Amazon S3, which matters when security reviews need durable evidence instead of dashboard screenshots.
Caption: Official Vercel changelog image for expanded Audit Log coverage. Source: Vercel.
What changed
Vercel says Audit Logs now capture more than 400 team activity event types. The same update replaces Custom SIEM Log Streaming with Audit Log Drains, so teams can route audit data through the broader Drains workflow.
The new delivery paths are custom HTTP endpoints and Amazon S3. Vercel says Audit Log Drains are available to all Enterprise teams and priced at $0.50 per GB through standard Drains pricing, replacing a separate paid add-on.
| Area | What changed | Who gets it | Caveat |
|---|---|---|---|
| Audit coverage | 400+ team activity events | Vercel Enterprise teams | Check which actions matter for your controls |
| Delivery | Custom HTTP endpoints or Amazon S3 | Enterprise teams using Drains | Audit Log Drains apply to the whole team |
| Pricing | Standard Drains pricing at $0.50/GB | Enterprise billing | Downstream storage and SIEM costs still apply |
| S3 setup | Vercel assumes an IAM role with an external ID | AWS-backed audit archives | Scope the bucket path and KMS policy carefully |
Why this is early
This is a confirmed platform changelog, not a rumor. The primary source is Vercel's June 30 changelog, and the implementation details are backed by Vercel's Audit Logs to S3 and Audit Log Drains reference docs.
It is still early operationally because teams need to test delivery, retention, encryption, and downstream parsing before relying on the stream for audits. The feature changes the export path; it does not automatically design your evidence-retention policy.
Key takeaways
- Vercel Audit Logs now cover more than 400 unique team activity events.
- Audit Log Drains replace Custom SIEM Log Streaming for this workflow.
- Enterprise teams can send audit events to custom HTTPS endpoints or directly to Amazon S3.
- The S3 path uses AWS STS with a Vercel writer role and a team-specific external ID.
- Filtering, sampling, and project selection are not available for Audit Log Drains, so downstream routing should handle volume and separation.
Availability and access
Vercel says Audit Log Drains are available for all Enterprise teams. The S3 documentation says the feature writes team activity events into a customer-owned S3 bucket and is intended for security archives, compliance retention, and downstream analysis.
Teams should budget for Vercel Drains export pricing and for AWS or SIEM storage. If you already used Custom SIEM Log Streaming, verify the migration path, endpoint format, and whether your existing parser expects old field names or delivery behavior.
Practical LinkLoot angle
The useful move is to stop treating audit logs as something you pull manually during an incident. Put the stream into storage you control, then make review workflows boring: retention policy, schema validation, alerting, and a small evidence checklist for access changes.
Start with S3 if your team already keeps compliance evidence in AWS. Use a prefix such as audit-logs/, choose ndjson if your downstream tools prefer line-delimited records, and keep lifecycle rules separate from the Vercel drain configuration because Vercel does not manage S3 retention for you.
For adjacent workflow design, see LinkLoot's guide to AI workflow automation; the same pattern applies here: keep the trigger, data sink, approval path, and failure alert explicit.
What to verify before you act
- Confirm your Vercel plan and team have Enterprise Audit Log Drains access.
- Test delivery to a custom endpoint or S3 before changing your incident-response checklist.
- Scope IAM permissions to the exact S3 bucket or prefix, not the whole account.
- Use the exact
vercel-team:<team-id>external ID and avoid wildcard external IDs. - Check KMS permissions if the destination bucket uses a customer-managed AWS KMS key.
Source check
Confirmed by Vercel: the June 30 changelog states that Audit Logs now capture more than 400 unique team activity events, support delivery through Vercel Drains, can export to custom HTTP endpoints or Amazon S3, and are priced through standard Drains pricing.
Confirmed by Vercel docs: the S3 setup uses AWS STS and a Vercel S3 drain writer role, while the Audit Log Drains reference describes the event schema, actor fields, request metadata, JSON and NDJSON formats, and whole-team scope.
Context to verify in your own account: exact event coverage for your controls, migration timing from Custom SIEM Log Streaming, endpoint behavior, and downstream retention costs.
They are Enterprise Drains that forward Vercel team activity audit events to custom HTTPS endpoints or Amazon S3.