AWS S3 Access Logs
AWS S3 access logs provide detailed records of requests made to your S3 bucket, including information about who accessed your data, when they accessed it, and what operations they performed. These logs capture details such as requester information, request details, response status, and error codes, which are essential for security monitoring, compliance auditing, and troubleshooting access issues.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
Understanding S3 Access Log Format
S3 access logs contain the following fields in space-delimited format:
- Bucket Owner: The canonical user ID of the bucket owner
- Bucket: The name of the bucket
- Time: The time when the request was received
- Remote IP: The IP address of the requester
- Requester: The canonical user ID of the requester
- Request ID: A unique identifier for the request
- Operation: The operation being performed (e.g., GET, PUT, DELETE)
- Key: The key (path) of the object being accessed
- Request-URI: The HTTP request URI
- HTTP Status: The HTTP status code returned
- Error Code: The S3 error code (if applicable)
- Bytes Sent: The number of bytes sent
- Object Size: The size of the object
- Total Time: The total time of the request
- Turn-Around Time: The time between when the request was received and the response was sent
- Referer: The HTTP referer header
- User-Agent: The HTTP user-agent header
- Version ID: The version ID of the object (if versioning is enabled)
- Host ID: The host ID of the S3 endpoint
- Signature Version: The signature version used for authentication
- Cipher Suite: The cipher suite used for HTTPS requests
- Authentication Type: The type of authentication used
- Host Header: The host header of the request
- TLS Version: The TLS version used for HTTPS requests
For more information, refer to the official AWS documentation on S3 server access logging.