AWS S3 Access Logs

AWS S3 access logs provide detailed records of requests made to your S3 bucket, including information about who accessed your data, when they accessed it, and what operations they performed. These logs capture details such as requester information, request details, response status, and error codes, which are essential for security monitoring, compliance auditing, and troubleshooting access issues.

Ingest Methods

Setup the ingestion of this source using one of the following guides.

AWS S3 Bucket

Use the following SNS topic ARN to send your bucket notifications:

arn:aws:sns:<REGION>:253602268883:runreveal_s3access

For detailed setup instructions, see the AWS S3 Bucket guide.

Step 1: Create a Target S3 Bucket for Access Logs

Sign in to the AWS Management Console and open the Amazon S3 console.
Click on “Create bucket”.
Enter a unique name for your bucket (e.g., my-s3-access-logs) and select the region.
Configure the bucket settings as needed (e.g., versioning, encryption).
Click “Create bucket” to finish.

Step 2: Configure Bucket Policy for Log Delivery

In the S3 console, select the bucket you just created for access logs.
Go to the “Permissions” tab.
Under “Bucket policy”, click “Edit”.
Paste the following policy, replacing {target-bucket-name} with your actual bucket name:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{target-bucket-name}/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "{source-bucket-account-id}"
                }
            }
        }
    ]
}

Replace {source-bucket-account-id} with your AWS account ID.
Click “Save changes”.

Step 3: Enable Access Logging for Your Source S3 Bucket

In the S3 console, select the source bucket for which you want to enable access logging.
Go to the “Properties” tab.
Scroll down to the “Server access logging” section and click “Edit”.
Check the box next to “Enable server access logging”.
Select the target bucket you created earlier from the “Target bucket” dropdown.
Optionally, specify a prefix for the log files (e.g., logs/).
Click “Save changes”.

Step 4: Configure SNS Event Notifications

In the S3 console, select your target bucket (where access logs are being delivered).
Go to the “Properties” tab.
Scroll down to the “Event notifications” section and click “Create event notification”.
Configure the event notification:
- Event name: Enter a descriptive name (e.g., “S3AccessLogsToRunReveal”)
- Event types: Select “All object create events”
- Destination: Choose “SNS topic”
- SNS topic: Select “Specify SNS topic ARN” and enter: arn:aws:sns:<REGION>:253602268883:runreveal_s3access
Click “Save changes”.

Step 5: Verify Log Delivery

Wait for a few minutes to allow some access requests to your source bucket.
Go back to the S3 console and open your target bucket.
Navigate to the folder where you specified the prefix (or the root if no prefix was specified).
You should see log files appearing in this location with names like YYYY-MM-DD-HH-MM-SS-XXXXXXXXXX.

AWS S3 Bucket w/ Custom SQS

For detailed setup instructions, see the AWS S3 Bucket with Custom SQS guide.

Step 1: Create a Target S3 Bucket for Access Logs

Sign in to the AWS Management Console and open the Amazon S3 console.
Click on “Create bucket”.
Enter a unique name for your bucket (e.g., my-s3-access-logs) and select the region.
Configure the bucket settings as needed (e.g., versioning, encryption).
Click “Create bucket” to finish.

Step 2: Configure Bucket Policy for Log Delivery

In the S3 console, select the bucket you just created for access logs.
Go to the “Permissions” tab.
Under “Bucket policy”, click “Edit”.
Paste the following policy, replacing {target-bucket-name} with your actual bucket name:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::{target-bucket-name}/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "{source-bucket-account-id}"
                }
            }
        }
    ]
}

Replace {source-bucket-account-id} with your AWS account ID.
Click “Save changes”.

Step 3: Enable Access Logging for Your Source S3 Bucket

In the S3 console, select the source bucket for which you want to enable access logging.
Go to the “Properties” tab.
Scroll down to the “Server access logging” section and click “Edit”.
Check the box next to “Enable server access logging”.
Select the target bucket you created earlier from the “Target bucket” dropdown.
Optionally, specify a prefix for the log files (e.g., logs/).
Click “Save changes”.

Step 4: Configure SQS Queue Notifications

Create an SQS queue following the external S3 guide.
In the S3 console, select your target bucket (where access logs are being delivered).
Go to the “Properties” tab.
Scroll down to the “Event notifications” section and click “Create event notification”.
Configure the event notification:
- Event name: Enter a descriptive name (e.g., “S3AccessLogsToSQS”)
- Event types: Select “All object create events”
- Destination: Choose “SQS queue”
- SQS queue: Select your created SQS queue ARN
Click “Save changes”.

Step 5: Verify Log Delivery

Wait for a few minutes to allow some access requests to your source bucket.
Go back to the S3 console and open your target bucket.
Navigate to the folder where you specified the prefix (or the root if no prefix was specified).
You should see log files appearing in this location with names like YYYY-MM-DD-HH-MM-SS-XXXXXXXXXX.

Understanding S3 Access Log Format

S3 access logs contain the following fields in space-delimited format:

Bucket Owner: The canonical user ID of the bucket owner
Bucket: The name of the bucket
Time: The time when the request was received
Remote IP: The IP address of the requester
Requester: The canonical user ID of the requester
Request ID: A unique identifier for the request
Operation: The operation being performed (e.g., GET, PUT, DELETE)
Key: The key (path) of the object being accessed
Request-URI: The HTTP request URI
HTTP Status: The HTTP status code returned
Error Code: The S3 error code (if applicable)
Bytes Sent: The number of bytes sent
Object Size: The size of the object
Total Time: The total time of the request
Turn-Around Time: The time between when the request was received and the response was sent
Referer: The HTTP referer header
User-Agent: The HTTP user-agent header
Version ID: The version ID of the object (if versioning is enabled)
Host ID: The host ID of the S3 endpoint
Signature Version: The signature version used for authentication
Cipher Suite: The cipher suite used for HTTPS requests
Authentication Type: The type of authentication used
Host Header: The host header of the request
TLS Version: The TLS version used for HTTPS requests

For more information, refer to the official AWS documentation on S3 server access logging.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: s3_access_logs (65 columns)

Column	Type
`workspaceID`	String
`sourceID`	String
`sourceType`	String
`sourceTTL`	UInt32
`receivedAt`	DateTime
`id`	String
`eventTime`	DateTime
`eventName`	String
`eventID`	String
`srcIP`	String
`srcASCountryCode`	String
`srcASNumber`	UInt32
`srcASOrganization`	String
`srcCity`	String
`srcConnectionType`	String
`srcISP`	String
`srcLatitude`	Float64
`srcLongitude`	Float64
`srcUserType`	String
`dstIP`	String
`dstASCountryCode`	String
`dstASNumber`	UInt32
`dstASOrganization`	String
`dstCity`	String
`dstConnectionType`	String
`dstISP`	String
`dstLatitude`	Float64
`dstLongitude`	Float64
`dstUserType`	String
`actor`	Map(String, String)
`tags`	Map(String, String)
`resources`	Array(String)
`serviceName`	String

Column	Type
`enrichments`	Array(Tuple(data Map(String, String), name String, provider String, type String, value String))
`readOnly`	Bool
`rawLog`	String
`bucketOwner`	String
`bucket`	String
`time`	String
`remoteIP`	String
`requester`	String
`requestID`	String
`operation`	String
`key`	String
`requestURI`	String
`requestMethod`	String
`requestPath`	String
`requestProto`	String
`httpStatus`	String
`errorCode`	String
`bytesSent`	String
`objectSize`	String
`totalTime`	String
`turnAroundTime`	String
`referrer`	String
`userAgent`	String
`versionID`	String
`hostID`	String
`signatureVersion`	String
`cipherSuite`	String
`authenticationType`	String
`hostHeader`	String
`tlsVersion`	String
`accessPointARN`	String
`aclRequired`	String

Redshift Activity Logs