S3 Access Logs


Course Introduction
Amazon CloudWatch
AWS Config
What is AWS Config?
AWS Control Tower
AWS Control Tower
PREVIEW19m 56s
AWS Resource Access Manager
AWS Management
AWS Service Catalog
PREVIEW10m 34s
AWS Trusted Advisor Best Practices
AWS Health Dashboard
AWS Data Visualization
Finding Compliance Data with AWS Artifact
Observability in AWS
Start course
6h 2m

This section of the AWS Certified Solutions Architect - Professional learning path introduces the AWS management and governance services relevant to the AWS Certified Solutions Architect - Professional exam. These services are used to help you audit, monitor, and evaluate your AWS infrastructure and resources and form a core component of resilient and performant architectures. 

Want more? Try a Lab Playground or do a Lab Challenge!

Learning Objectives

  • Understand the benefits of using AWS CloudWatch and audit logs to manage your infrastructure
  • Learn how to record and track API requests using AWS CloudTrail
  • Learn what AWS Config is and its components
  • Manage multi-account environments with AWS Organizations and Control Tower
  • Learn how to carry out logging with CloudWatch, CloudTrail, CloudFront, and VPC Flow Logs
  • Learn about AWS data transformation tools such as AWS Glue and data visualization services like Amazon Athena and QuickSight
  • Learn how AWS CloudFormation can be used to represent your infrastructure as code (IaC)
  • Understand SLAs in AWS

Hello, and welcome to this lecture, where I shall be looking at Amazon S3 access logs, what they are, and what they contain. As you may have guessed from the name, Amazon S3 access logs collate data based on who has been accessing a particular S3 bucket, and these logs record information, such as the source bucket that was accessed, a timestamp of the event, the identity requesting access to the object in the bucket, and the action that they were performing with the object. 

By default, when you create a new bucket, access logging is not enabled. However, should you have a requirement to understand who is accessing your S3 buckets, then this logging can quickly and easily be enabled. The configuration of this process is based upon a source bucket and a target bucket. The source bucket is the bucket in which you want to log access requests for. The target bucket is the bucket in which the access logs will be delivered to. It's best practice to use different buckets for both the source and the target for ease of management. When configuring your buckets for logging, you need to be aware that the source and target buckets need to be in the same region. 

To allow S3 to write logs to this target bucket, it will of course require specific permissions. These permissions allow write access for the Log Delivery group, which is a pre-defined Amazon S3 group, which is used to deliver log files to your target buckets. If the configuration of your access logging is configured using the management console, then the setup process automatically adds the Log Delivery group to the ACL of the target bucket, allowing the relevant access. However, if you were to configure the access logging using the command line, then you would need to manually configure these permissions. 

To set up the access logs using the console is a very simple process. Firstly, you select the S3 bucket that you would like to capture access logs for, select the properties tab, select server access logging, choose Enable Logging. From the dropdown, select your target bucket, and this is the bucket in which the logs will be delivered and saved to. Enter a prefix for your log files if required, and click save. If you then look at the ACL permissions for that bucket, you'll notice that the log delivery group has automatically been given write access for that bucket. If you wanted to enable logging on the bucket programmatically, then you can do so using the S3 API or the AWS SDKs. When doing so, you need to configure the write access for the Log Delivery Group on the target bucket as an additional action. More information on how to perform these steps can be found using the following link

When viewing your logs within the target bucket, you'll notice that each entry is made up of a number of different parameters. Let me show an example of a log access file to show you the data that makes up the entry. 

Start of demonstration

Okay, so I've just opened up one of the S3 access logs that I have, just a very small snippet. And we can see at the top here, we've got a couple of entries, so let's just run through this top entry, just some of the key bits of information that make up the access log. This first entry here, and that's the canonical ID of the owner of the source bucket. Next we have the AWS bucket itself that was accessed along with the date and time as well. Next we have some information from the requester, which is their source IP address. This hyphen means that the user was unauthenticated. If it was a user within IAM then we'd see their user ID there. This set of characters is generated by AWS just as a unique ID for this request. Next we have the action that was carried out, which is a get object request against the object within the bucket which is this image file here. And again, we can see that here and also we have this response code of 200. Also we have some information here with regards to the amount of bytes sent and the object size, and also some timings in milliseconds as well for that request. We also have the referrer here of where the request initially came from, and then finally just some information regarding to the requester's application software. So that's a very quick summary and example of what an entry looks like within your AWS S3 access logs.

End of demonstration

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.