Enabling Server Access Logging On the S3 Bucket
If you want to have a full understanding of what is happening inside your S3 bucket, you should consider enabling the Server Access Logging functionality. This way, all the operations performed inside your bucket will be logged in another logging bucket.
In this lab, you will create an S3 logging bucket and set up this one as the server access logging bucket for the S3 bucket you previously created.
1. Move back to the S3 console and create a new S3 bucket whose name is logging-bucket-#### (#### stands for random numbers) in the Oregon region:
2. Click on the name of the bucket you created in the previous lab step (not the logging bucket) to move into its dashboard.
3. Move under the Properties tab, and scroll down until you reach the Server access logging section:
This bucket's property is disabled by default.
4. Click on the Edit button.
5. Check the Enable checkbox, and click on Browse S3 to select the logging-bucket-### as the target bucket for the logs.
6. Check the correct bucket and then click on Choose path:
7. Click on Save changes to enable the server access logging feature.
You will be redirected to the Properties tab and you can see the Server access logging feature is now enabled:
As per the official AWS documentation, S3 uses a best-effort pattern to deliver the logs to the target bucket. That means you could wait a few minutes up to hours to view the created logs. For more information about the structure of how a log is structured, you can follow the official docs.
If you are interested in trying this feature in a long enough lab environment, you should do the Amazon Simple Storage Service (Amazon S3) Playground.
When enabling the server access logs property on a bucket, the target bucket's bucket policy is automatically updated to let the S3 log delivery group (corresponding to the logging.s3.amazonaws.com service principal) put the logs objects:
In this lab, you created an S3 logging bucket and set up this one as the server access logging bucket for the S3 bucket you previously created.
Check whether the server access logging feature has been enabled.