Amazon S3 Access Logs

Ingest S3 bucket access logs using the Observe Lambda forwarder.

Enable S3 access logging

S3 bucket access logging is disabled by default. If needed, first enable logging for the desired bucket:

  1. Navigate to S3 in the AWS Console

  2. Select the bucket you’d like to get access logs for

  3. Click on “Properties”

  4. Under “Server access logging”, click “Edit”

  5. Select “Enable” and provide the log destination bucket in “Target bucket”

  6. Click “Save changes”

    Editing server access logging in the AWS Console

See the AWS access logging documentation for full details.

Forward logs using Lambda

If needed, install the Observe AWS Integration or the standalone Observe Lambda forwarder following the instructions in the documentation.

If you are already using the Lambda forwarder, you do not need to install it again. If you are installig it for the first time, consider the AWS Integration to easily ingest additional AWS data.

For each log bucket (“Target bucket”), add a trigger so the forwarder can send access logs as they are generated.

  1. Navigate to Lambda in the AWS Console

  2. Select the Observe Lambda function (created by the forwarder or integration installation process)

  3. Select “Add Trigger”, then search for “S3”

    Type S3 in the form and select it to add an S3 trigger
  4. Configure the trigger with the following settings:

    • Bucket: the log bucket

    • Event type: the desired events to send, such as “All object create events”

    • Prefix or Suffix if desired (optional)

  5. Click “Add” to save.

Note

S3 access logs may take some time to be created in the target bucket. For details, see the AWS documentation about best-effort delivery.