To log details about calls for Amazon Simple Storage Service (S3) events, you can use the Amazon Web Services (AWS) CloudTrail service. The CloudTrail service can log actions taken by a user, a role, or an AWS service in Amazon S3. The log is helpful for things such as auditing and preserving the event trail about deleted S3 buckets or deleted objects that might contain important backup data.
To configure auditing and logging to log all accesses to S3 objects, including API accesses, you need to complete the following configuration:
On the AWS console, configure object-level S3 logging.
Place all logs in an S3 bucket that is owned by a separate account that is used only for auditing.
Related Topics
The following AWS documentation pages provide more information:
For information about how Amazon S3 object-level actions are tracked by CloudTrail logging, go to Logging Amazon S3 API Calls Using AWS CloudTrail.
For information about how to put all logs in an S3 bucket, go to How Do I Enable Object-Level Logging for an S3 Bucket with AWS CloudTrail Data Events?.
For information about receiving CloudTrail log files from multiple accounts, go to Receiving CloudTrail Log Files from Multiple Accounts.