Server Access Logging
Welcome to CloudAffaire and this is Debjeet
In the last blog post, we have discussed Object Lifecycle Management. We have also configured Lifecycle rule for a S3 bucket.
In this blog post, we are going to discuss Server Access Logging in S3. We are also going to enable Server Access Logging for an S3 bucket.
Server Access Logging:
Server Access Logging provides detailed records for the requests that are made to a bucket. Server Access Logging can serve as security and access audit to your S3 bucket. If enabled, server access logging provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and an error code, if relevant. By default server access logging is disabled to your S3 bucket. The bucket for which server access logging is enabled is known as source bucket and the bucket where the logs are delivered is known as target bucket. You can use the same source and target bucket in the same region in your server access logging configuration, however, it’s recommended to use a separate bucket as source and target.
Note: Server Access Log records are delivered in best effort basis and can have a time lag. The completeness and timeliness of server logging are not guaranteed. The log record for a particular request might be delivered long after the request was actually processed, or it might not be delivered at all.
Server Access Logging prerequisites:
- Log delivery should be turned on in source S3 bucket.
- Proper access must be granted to log delivery group in the target bucket.
Log Object Key Format:
Amazon S3 uses the following object key format for the log objects it uploads in the target bucket:
In the key, YYYY, mm, DD, HH, MM, and SS are the digits of the year, month, day, hour, minute, and seconds respectively when the log file was delivered.
Next, we are going to enable server access logging for a S3 bucket.
Sever Access Loggin In S3:
Step 1: Login to AWS console and click ‘S3’ located under Storage.
Step 2: Click on the bucket name.
Step 3: Click ‘Server Access Logging’ located under ‘Properties’.
Step 4: Select ‘Enable Logging’, provide target bucket name and target prefix and click ‘Save’.
Note: If you choose the same bucket as your source and target bucket, additional logs will be generated about the metadata of generated logs.
Server access logging successfully enabled
Step 5: Navigate to ‘Permissions’ and select S3 log delivery group and provide access for log delivery. Click ‘Save’.
To view the logs, navigate to ‘Overview’. Server Access Logs has been delivered to target S3 bucket.
Note: If may take a couple of hours to get the access logs in your target bucket.
To stop acquiring any cost, disable server access logging and delete the bucket once the demo is completed.
Hope you have enjoyed this article, in the next blog, we will host a static website in S3 bucket.