Using Amazon S3 server access logs to identify requests
You can identify Amazon S3 requests by using Amazon S3 server access logs.
Note
-
To identify Amazon S3 requests, we recommend that you use AWS CloudTrail data events instead of Amazon S3 server access logs. CloudTrail data events are easier to set up and contain more information. For more information, see Identifying Amazon S3 requests using CloudTrail.
-
Depending on how many access requests you get, analyzing your logs might require more resources or time than using CloudTrail data events.
Topics
Querying access logs for requests by using Amazon Athena
You can identify Amazon S3 requests with Amazon S3 access logs by using Amazon Athena.
Amazon S3 stores server access logs as objects in an S3 bucket. It is often easier to use a tool that can analyze the logs in Amazon S3. Athena supports analysis of S3 objects and can be used to query Amazon S3 access logs.
Example
The following example shows how you can query Amazon S3 server access logs in Amazon Athena.
Replace the used in the
following examples with your own information.user input placeholders
Note
To specify an Amazon S3 location in an Athena query, you must provide an S3 URI for the
bucket where your logs are delivered to. This URI must include the bucket name and
prefix in the following format:
s3://
/amzn-s3-demo-bucket1-logs/prefix
Open the Athena console at https://console.aws.amazon.com/athena/
. -
In the Query Editor, run a command similar to the following. Replace
with the name that you want to give to your database.s3_access_logs_dbCREATE DATABASEs3_access_logs_dbNote
It's a best practice to create the database in the same AWS Region as your S3 bucket.
-
In the Query Editor, run a command similar to the following to create a table schema in the database that you created in step 2. Replace
with the name that you want to give to your table. Thes3_access_logs_db.mybucket_logsSTRINGandBIGINTdata type values are the access log properties. You can query these properties in Athena. ForLOCATION, enter the S3 bucket and prefix path as noted earlier. -
In the navigation pane, under Database, choose your database.
-
Under Tables, choose Preview table next to your table name.
In the Results pane, you should see data from the server access logs, such as
bucketowner,bucket,requestdatetime, and so on. This means that you successfully created the Athena table. You can now query the Amazon S3 server access logs.
Example— Show who deleted an object and when (timestamp, IP address, and IAM user)
SELECT requestdatetime, remoteip, requester, key FROMs3_access_logs_db.mybucket_logsWHERE key = 'images/picture.jpg' AND operation like '%DELETE%';
Example— Show all operations that were performed by an IAM user
SELECT * FROMs3_access_logs_db.mybucket_logsWHERE requester='arn:aws:iam::123456789123:user/user_name';
Example— Show all operations that were performed on an object in a specific time period
SELECT * FROMs3_access_logs_db.mybucket_logsWHERE Key='prefix/images/picture.jpg' AND parse_datetime(requestdatetime,'dd/MMM/yyyy:HH:mm:ss Z') BETWEEN parse_datetime('2017-02-18:07:00:00','yyyy-MM-dd:HH:mm:ss') AND parse_datetime('2017-02-18:08:00:00','yyyy-MM-dd:HH:mm:ss');
Example— Show how much data was transferred to a specific IP address in a specific time period
SELECT coalesce(SUM(bytessent), 0) AS bytessenttotal FROMs3_access_logs_db.mybucket_logsWHERE remoteip='192.0.2.1' AND parse_datetime(requestdatetime,'dd/MMM/yyyy:HH:mm:ss Z') BETWEEN parse_datetime('2022-06-01','yyyy-MM-dd') AND parse_datetime('2022-07-01','yyyy-MM-dd');
Example— Find request IDs for HTTP 5xx errors in a specific time period
SELECT requestdatetime, key, httpstatus, errorcode, requestid, hostid FROMs3_access_logs_db.mybucket_logsWHERE httpstatus like '5%' AND timestamp BETWEEN '2024/01/29' AND '2024/01/30'
Identifying Signature Version 2 requests
You can use server access logs to identify Signature Version 2 requests. For details on querying logs with Amazon Athena, see the Athena querying section under Delivering logs to an Amazon S3 general purpose bucket.
Identifying object access requests
You can use server access logs to identify object access patterns. For details on querying logs with Amazon Athena, see the Athena querying section under Delivering logs to an Amazon S3 general purpose bucket.