logging-with-S3
Logging with Amazon S3
You can record the actions that are taken by users, roles, or AWS services on Amazon S3 resources and maintain log records for auditing and compliance purposes. To do this, you can use Amazon S3 Server Access Logging, AWS CloudTrail logs, or a combination of both. We recommend that you use AWS CloudTrail for logging bucket and object-level actions for your Amazon S3 resources.
The following table lists the key properties of AWS CloudTrail logs and Amazon S3 server access logs.
| Log Properties | AWS CloudTrail | Amazon S3 Server Logs |
|---|---|---|
| Can be forwarded to other systems (CloudWatch Logs, CloudWatch Events) | Yes | |
| Deliver logs to more than one destination (for example, send the same logs to two different buckets) | Yes | |
| Turn on logs for a subset of objects (prefix) | Yes | |
| Cross-account log delivery (target and source bucket owned by different accounts) | Yes | |
| Integrity validation of log file using digital signature/hashing | Yes | |
| Default/choice of encryption for log files | Yes | |
| Object operations (using Amazon S3 APIs) | Yes | Yes |
| Bucket operations (using Amazon S3 APIs) | Yes | Yes |
| Searchable UI for logs | Yes | |
| Fields for object lock parameters, Amazon S3 select properties for log records | Yes | |
Fields for Object Size, Total Time, Turn-Around Time, and HTTP Referer for log records | Yes | |
| Lifecycle transitions, expirations, restores | Yes | |
| Logging of keys in a batch delete operation | Yes | |
| Authentication failures1 | Yes | |
| Accounts where logs get delivered | Bucket owner2, and requester | Bucket owner only |
| Performance and Cost | AWS CloudTrail | Amazon S3 Server Logs |
| Price | Management events (first delivery) are free; data events incur a fee, in addition to storage of logs | No additional cost in addition to storage of logs |
| Speed of log delivery | Data events every 5 mins; management events every 15 mins | Within a few hours |
| Log format | JSON | Log file with space-separated, newline-delimited records |
Notes:
CloudTrail does not deliver logs for requests that fail authentication (in which the provided credentials are not valid). However, it does include logs for requests in which authorization fails (
AccessDenied) and requests that are made by anonymous users.The S3 bucket owner receives CloudTrail logs only if the account also owns or has full access to the object in the request. For more information, see Object-Level Actions in Cross-Account Scenarios.