Ref: https://learn.cantrill.io/courses/1820301/lectures/41301493 [ASSOCIATESHARED]

• Summary
• Contents:

S3 Server Access Logging - Architecture

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0700-SIMPLE_STORAGE_SERVICE(S3)/00_LEARNINGAIDS/S3AccessLogs.png

• 🔧 Record in detail requests made to an S3 bucket and its objects → gain access visibility
  • Logs stored in a (different) target bucket
• Log files consist of log records, which are newline-delimited
  • Log record attributes (date, time, status, operation…) are space-delimited
  • 💡 Similar to Apache log files
• Logging managed via S3 Log Delivery Group
  • AWS-managed system process (runs in the background)
  • ‼️ Best-effort process, NOT real-time! → can take hours to deliver logs to target bucket
• ❗ Lifecycle of log files NOT managed automatically!
  • You must manually manage it (e.g. set a lifecycle configuration to transition or expire logs in the target bucket)
• Configuration:
  1. Source Bucket
     • Enable logging
       • Can be done via UI, or with PUT Bucket Logging operation via CLI/API
     • Specify target bucket and prefix for logs that will be delivered/written there
       • 💡 Target bucket can hold logs for many source buckets → logs from different buckets separated with different prefixes
  2. Target Bucket
     • Configure a bucket ACL that gives write permissions to S3 Log Delivery Group
• Use Cases:
  • Auditing (security or other audits)
  • Understanding access patterns of customer base
  • Understanding changes in your S3 bill