# Monitoring your storage activity and usage with Amazon S3 Storage Lens Monitoring your storage activity and usage with S3 Storage Lens Amazon S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object storage and activity. S3 Storage Lens also analyzes metrics to deliver contextual recommendations that you can use to optimize storage costs and apply best practices for protecting your data. You can use S3 Storage Lens metrics to generate summary insights. For example, you can find out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. You can also use S3 Storage Lens metrics to identify cost optimization opportunities, implement data protection and access management best practices, and improve the performance of application workloads. For example, you can identify buckets that don't have S3 Lifecycle rules set up to expire incomplete multipart uploads that are more than 7 days old. You can also identify buckets that aren't following data protection best practices, such as using S3 Replication or S3 Versioning. S3 Storage Lens aggregates your metrics and displays the information in the **Account snapshot** section on the Amazon S3 console **Buckets** page. S3 Storage Lens also provides an interactive dashboard that you can use to visualize insights and trends, flag outliers, and receive recommendations for optimizing storage costs and applying data protection best practices. Your dashboard has drill-down options to generate and visualize insights at the organization, account, AWS Region, storage class, bucket, prefix, or Storage Lens group level. You can also send a daily metrics report in CSV or Parquet format to a general purpose S3 bucket or export the metrics directly to an AWS-managed S3 table bucket. ![\[The Snapshot for date section in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/storage-lens-dashboard.png) ## S3 Storage Lens metrics and features S3 Storage Lens provides an interactive *default dashboard* that is updated daily. S3 Storage Lens preconfigures this dashboard to visualize the summarized insights and trends for your entire account and updates them daily in the S3 console. Metrics from this dashboard are also summarized in your account snapshot on the **Buckets** page. For more information, see [Default dashboard](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_default_dashboard). To create other dashboards and scope them by AWS Regions, S3 buckets, or accounts (for AWS Organizations), you create an S3 Storage Lens dashboard configuration. You can create and manage S3 Storage Lens dashboard configurations by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), AWS SDKs, or Amazon S3 REST API. When you create or edit an S3 Storage Lens dashboard, you define your dashboard scope and metrics selection. S3 Storage Lens offers free tier metrics and advanced tier metrics, which you can upgrade to for an additional charge. With the advanced tier, you can access additional metrics and features for gaining insight into your storage. These features include advanced metric categories, prefix aggregation, contextual recommendations, expanded prefixes metrics reports, and Amazon CloudWatch publishing. Prefix aggregation and contextual recommendations are available only in the Amazon S3 console. For information about S3 Storage Lens pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). **Metrics categories** Within the free and advanced tiers, metrics are organized into categories that align with key use cases, such as cost optimization and data protection. Free metrics include summary, cost optimization, data protection, access management, performance, and event metrics. When you upgrade to the advanced tier, you can enable advanced cost optimization and data protection metrics. You can use these advanced metrics to further reduce your S3 storage costs and improve your data protection stance. You can also enable activity metrics and detailed status-code metrics to improve the performance of application workloads that are accessing your S3 buckets. For more information about the free and advanced metrics categories, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). You can assess your storage based on S3 best practices, such as analyzing the percentage of your buckets that have encryption or S3 Object Lock or S3 Versioning enabled. You can also identify potential cost-savings opportunities. For example, you can use S3 Lifecycle rule count metrics to identify buckets that are missing lifecycle expiration or transition rules. You can also analyze your request activity per bucket to find buckets where objects could be transitioned to a lower-cost storage class. For more information, see [Amazon S3 Storage Lens metrics use cases](storage-lens-use-cases.md). **Metrics export** **Default metrics report** The default metrics report in S3 Storage Lens includes free metrics and advanced tier metrics covering object storage usage and activity trends across your AWS accounts. The report includes prefix aggregation for prefixes whose objects comprise at least 1% of the total data stored in the bucket, and supports up to 10 levels of prefix depth. The report can be exported daily in CSV or Parquet format to an S3 general purpose bucket. The report can also be sent to an AWS-managed S3 table bucket (with name `aws-s3`) making it easy to query using AWS analytics services or third-party tools. With the default metrics report, you can identify cost optimization opportunities like buckets without S3 Lifecycle rules for incomplete multipart uploads and buckets not following data protection best practices such as S3 Replication or S3 Versioning. The default metrics report also provides contextual recommendations for optimizing storage costs and applying data protection best practices, at no additional charge beyond standard S3 storage costs. **Expanded prefixes metrics report** The Storage Lens expanded prefixes metrics report provides comprehensive prefix-level analytics across your entire S3 storage data, expanding coverage to support billions of prefixes in your bucket. This report delivers metrics for all prefixes in your buckets, including storage usage, bytes transferred, request counts by status code, and data protection compliance metrics, which you can export daily in CSV or Parquet format to S3 general purpose bucket. You can also export the metrics directly to the `aws-s3` AWS-managed S3 table bucket. **Note** The report processes metrics for prefixes up to 50 levels deep and excludes prefix-level metrics for any bucket where the prefix and storage class combinations exceed twice the object count. With the expanded prefixes metrics report, you can identify performance optimization opportunities, such as high error rates, small objects, or sub-optimal request patterns, across billions of prefixes in your bucket. Unlike the default metrics report, the expanded prefixes metrics report delivers metrics for granular prefixes in your bucket. For example, you can identify prefixes with large numbers of objects of size less than 128KB to quickly isolate such datasets for compaction that will improve application performance. This report is available in all AWS Regions as an opt-in feature in the Storage Lens advanced tier dashboard configuration. **Metrics publishing** **Amazon CloudWatch publishing** You can publish S3 Storage Lens usage and activity metrics to Amazon CloudWatch to create a unified view of your operational health in CloudWatch [dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). You can also use CloudWatch features, such as alarms and triggered actions, metric math, and anomaly detection, to monitor and take action on S3 Storage Lens metrics. In addition, CloudWatch API operations enable applications, including third-party providers, to access your S3 Storage Lens metrics. The CloudWatch publishing option is available for dashboards that are upgraded to the S3 Storage Lens advanced tier. For more information about support for S3 Storage Lens metrics in CloudWatch, see [Monitor S3 Storage Lens metrics in CloudWatch](storage_lens_view_metrics_cloudwatch.md). For more information about using S3 Storage Lens, see the following topics. **Topics** + [ ## S3 Storage Lens metrics and features ](#storage-lens-dashboards-intro) + [ # Understanding Amazon S3 Storage Lens ](storage_lens_basics_metrics_recommendations.md) + [ # Amazon S3 Storage Lens metrics glossary ](storage_lens_metrics_glossary.md) + [ # Setting Amazon S3 Storage Lens permissions ](storage_lens_iam_permissions.md) + [ # Working with Amazon S3 Storage Lens by using the console and API ](S3LensExamples.md) + [ # Viewing metrics with Amazon S3 Storage Lens ](storage_lens_view_metrics.md) + [ # Working with S3 Storage Lens data in S3 Tables ](storage-lens-s3-tables.md) + [ # Using Amazon S3 Storage Lens with AWS Organizations ](storage_lens_with_organizations.md) + [ # Working with S3 Storage Lens groups to filter and aggregate metrics ](storage-lens-groups-overview.md) # Understanding Amazon S3 Storage Lens Understanding S3 Storage Lens **Important** Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the AWS CLI and AWS SDKs. For more information, see [Default encryption FAQ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/default-encryption-faq.html). Amazon S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity. You can use S3 Storage Lens metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. You can also use S3 Storage Lens metrics to identify cost-optimization opportunities, implement data-protection and security best practices, and improve the performance of application workloads. For example, you can identify buckets that don't have S3 Lifecycle rules to expire incomplete multipart uploads that are more than 7 days old. You can also identify buckets that aren't following data-protection best practices, such as using S3 Replication or S3 Versioning. S3 Storage Lens also analyzes metrics to deliver contextual recommendations that you can use to optimize storage costs and apply best practices for protecting your data. S3 Storage Lens aggregates your metrics and displays the information in the **Account snapshot** section on the Amazon S3 console **Buckets** page. S3 Storage Lens also provides an interactive dashboard that you can use to visualize insights and trends, flag outliers, and receive recommendations for optimizing storage costs and applying data protection best practices. Your dashboard has drill-down options to generate and visualize insights at the organization, account, AWS Region, storage class, bucket, prefix, or Storage Lens group level. You can also send a daily metrics report in CSV or Parquet format to a general purpose S3 bucket or export the metrics directly to an AWS-managed S3 table bucket. You can create and manage S3 Storage Lens dashboards by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), AWS SDKs, or Amazon S3 REST API. ## S3 Storage Lens concepts and terminology S3 Storage Lens basics This section contains the terminology and concepts that are essential for successfully understanding and using Amazon S3 Storage Lens. **Topics** + [ ### Dashboard configuration ](#storage_lens_basics_configuration) + [ ### Default dashboard ](#storage_lens_basics_default_dashboard) + [ ### Dashboards ](#storage_lens_basics_dashboards) + [ ### Account snapshot ](#storage_lens_basics_account_snapshot) + [ ### Metrics export ](#storage_lens_basics_metrics_export) + [ ### Metrics export destinations ](#storage_lens_basics_metrics_export_destinations) + [ ### Home Region ](#storage_lens_basics_home_region) + [ ### Retention period ](#storage_lens_basics_data_queries) + [ ### Metrics categories ](#storage_lens_basics_metrics_types) + [ ### Recommendations ](#storage_lens_basics_recommendations) + [ ### Metrics selection ](#storage_lens_basics_metrics_selection) + [ ### Prefix delimiter ](#storage_lens_basics_prefix_delimiter) + [ ### S3 Storage Lens and AWS Organizations ](#storage_lens_basics_organizations) ### Dashboard configuration S3 Storage Lens requires a dashboard configuration that contains the properties required to aggregate metrics on your behalf for a single dashboard or export. When you create a configuration, you choose the dashboard name and the home Region, which you can't change after you create the dashboard. You can optionally add tags and configure a metrics export in CSV or Parquet format. In the dashboard configuration, you also define the dashboard scope and the metrics selection. The scope can include all the storage for your organization account or sections that are filtered by Region, bucket, and account. When you configure the metrics selection, you choose between free tier metrics and advanced tier metrics, which you can upgrade to for an additional charge. With the advanced tier, you can access additional metrics and features. These features include advanced metric categories, prefix-level aggregation, contextual recommendations, and Amazon CloudWatch publishing. For information about S3 Storage Lens pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). ### Default dashboard The S3 Storage Lens default dashboard on the console is named **default-account-dashboard**. S3 preconfigures this dashboard to visualize the summarized insights and trends for your entire account and updates them daily in the S3 console. You can't modify the configuration scope of the default dashboard, but you can upgrade the metrics selection from free tier metrics to advanced tier metrics. You can configure the optional metrics export or even disable the dashboard. However, you can't delete the default dashboard. **Note** If you disable your default dashboard, it's no longer updated. You'll no longer receive any new daily metrics in your S3 Storage Lens dashboard, your metrics export, or the account snapshot on the S3 **Buckets** page. If your dashboard uses advanced metrics, you'll no longer be charged. You can still see historic data in the dashboard until the 14-day period for data queries expires. This period is 15 months if you've enabled advanced metrics. To access historic data, you can re-enable the dashboard within the expiration period. ### Dashboards You can create additional S3 Storage Lens dashboards and scope them by AWS Regions, S3 buckets, or accounts (for AWS Organizations). When you create or edit a S3 Storage Lens dashboard, you define your dashboard scope and metrics selection. S3 Storage Lens offers free tier metrics and advanced tier metrics, which you can upgrade to for an additional charge. With advanced metrics, you can access additional metrics and features for gaining insight into your storage. These include advanced metric categories, prefix-level aggregation, contextual recommendations, and Amazon CloudWatch publishing. For information about S3 Storage Lens pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). You can also disable or delete dashboards. If you disable a dashboard, it's no longer updated, and you will no longer receive any new daily metrics. You can still see historic data until the 14-day expiration period. If you enabled advanced metrics for that dashboard, this period is 15 months. To access historic data, you can re-enable the dashboard within the expiration period. If you delete your dashboard, you lose all your dashboard configuration settings. You will no longer receive any new daily metrics, and you also lose access to the historical data associated with that dashboard. If you want to access the historic data for a deleted dashboard, you must create another dashboard with the same name in the same home Region. **Note** You can use S3 Storage Lens to create up to 50 dashboards per home Region. Organization-level dashboards can be limited only to a Regional scope. ### Account snapshot The S3 Storage Lens **Account snapshot** summarizes metrics from your default dashboard and displays your total storage, object count, and average object size on the S3 console **Buckets** page. This account snapshot gives you quick access to insights about your storage without having to leave the **Buckets** page. The account snapshot also provides one-click access to your interactive S3 Storage Lens dashboard. You can use your dashboard to visualize insights and trends, flag outliers, and receive recommendations for optimizing storage costs and applying data protection best practices. Your dashboard has drill-down options to generate insights at the organization, account, bucket, object, or prefix level. You can also send a once-daily metrics export to an S3 bucket in CSV or Parquet format. You can't modify the dashboard scope of the **default-account dashboard** because it's linked to the **Account snapshot**. However, you can upgrade the metrics selection in your **default-account-dashboard** from free metrics to paid advanced metrics. After upgrading, you can then display all requests, bytes uploaded, and bytes downloaded in the S3 Storage Lens **Account snapshot**. **Note** If you disable your default dashboard, your **Account snapshot** is no longer updated. To continue displaying metrics in the **Account snapshot**, you can re-enable the **default-account-dashboard**. ### Metrics export An S3 Storage Lens metrics export is a file that contains all the metrics identified in your S3 Storage Lens configuration. This information is generated daily in CSV or Parquet format and is sent to a general purpose S3 bucket. You can also export the metrics directly to the `aws-s3` AWS-managed S3 table bucket making it easy to query using AWS analytics services or third-party tools. You can use the metrics export for further analysis by using the metrics tool of your choice. The bucket specified for your metrics export must be in the same Region as your S3 Storage Lens configuration. You can generate an S3 Storage Lens metrics export from the S3 console by editing your dashboard configuration. You can also configure a metrics export by using the AWS CLI and AWS SDKs. There are two types of metric exports available in Storage Lens: + **Default metrics report** – The default metrics report in S3 Storage Lens includes free metrics and activity trends across your AWS account and aggregates usage metrics for top prefixes. + **Expanded prefixes metrics report** – The Storage Lens expanded prefixes metrics report provides granular storage and activity metrics (such as storage usage, bytes transferred, and request counts by status code) at the prefix level for every prefix in your bucket. This report is available as an opt-in feature in all AWS Regions, through the advanced pricing tier in your Storage Lens dashboard configuration. For information about S3 Storage Lens feature pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). **Note** Storage Lens only generates metrics for [S3 general purpose buckets](UsingBucket.md). ### Metrics export destinations When exporting Storage Lens metrics data, you can choose both an S3 general purpose bucket or an S3 table bucket as your destination. General purpose buckets provide broad compatibility with existing tools and applications, offering flexibility to process data within your account, using your preferred analytics services. This option supports standard S3 access patterns and integrations for data analysis within individual buckets in your Region. In contrast, S3 table bucket lets you run immediate queries across multiple accounts and regions, create custom dashboards with Amazon Quick, and join data with other AWS services or third-party tools, without the need for additional processing infrastructure. For example, you can combine Storage Lens metrics with S3 Metadata to analyze object activity patterns across your organization. #### S3 general purpose bucket Exporting Storage Lens metrics to an S3 general purpose bucket offers flexibility and continuity for storing your Storage Lens data. You can maintain existing workflows and operational consistency by continuing to use your current infrastructure and existing extract, transform, and load (ETL) processes, analytics tools, or automated workflows. General purpose buckets also work with the full range of AWS services and third-party tools that support standard S3 APIs. This gives you maximum flexibility in how you process, analyze, or visualize your Storage Lens insights. Additionally, you can implement S3 lifecycle policies to automatically manage data retention, transitioning older metrics to lower-cost storage classes or deleting them after specified periods to optimize costs. Therefore, if operational continuity and workflow flexibility are your priorities for Storage Lens implementation, then consider choosing an S3 general purpose bucket for exporting your Storage Lens data. For more information about S3 general purpose buckets pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). #### S3 table bucket When exporting Storage Lens metrics to S3 table bucket, you can easily analyze your storage usage and activity metrics without building data pipelines. Your metrics are organized in S3 Tables that are created in an AWS-managed S3 table bucket called `aws-s3` for optimal query performance, with customizable retention periods and encryption settings to meet your data management needs. With your metrics in S3 Tables, you can run queries across multiple accounts and Regions using SQL tools and AWS analytics services (like Amazon Athena, Amazon Quick, Amazon EMR, and Amazon Redshift) to create custom dashboards and generate deeper insights. For example, you can join S3 Storage Lens metrics with S3 Metadata to identify objects in prefixes that aren't showing any recent activity. Any data stored in an S3 table bucket incurs S3 Tables costs. For more information about S3 Tables pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). ### Home Region The home Region is the AWS Region where all S3 Storage Lens metrics for a given dashboard configuration are stored. You must choose a home Region when you create your S3 Storage Lens dashboard configuration. After you choose a home Region, you can't change it. Also, if you're creating a Storage Lens group, we recommend that you choose the same home Region as your Storage Lens dashboard. **Note** You can choose one of the following Regions as your home Region: US East (N. Virginia) – `us-east-1` US East (Ohio) – `us-east-2` US West (N. California) – `us-west-1` US West (Oregon) – `us-west-2` Asia Pacific (Mumbai) – `ap-south-1` Asia Pacific (Seoul) – `ap-northeast-2` Asia Pacific (Singapore) – `ap-southeast-1` Asia Pacific (Sydney) – `ap-southeast-2` Asia Pacific (Tokyo) – `ap-northeast-1` Canada (Central) – `ca-central-1` China (Beijing) – `cn-north-1` China (Ningxia) – `cn-northwest-1` Europe (Frankfurt) – `eu-central-1` Europe (Ireland) – `eu-west-1` Europe (London) – `eu-west-2` Europe (Paris) – `eu-west-3` Europe (Stockholm) – `eu-north-1` South America (São Paulo) – `sa-east-1` ### Retention period S3 Storage Lens metrics are retained so that you can see historical trends and compare differences in your storage and activity over time. You can use Amazon S3 Storage Lens metrics for queries so that you can see historical trends and compare differences in your storage usage and activity over time. All S3 Storage Lens metrics are retained for a period of 15 months. However, metrics are only available for queries for a specific duration, which depends on your [metrics selection](#storage_lens_basics_metrics_selection). This duration can't be modified. Free metrics are available for queries for a 14-day period, and advanced metrics are available for queries for a 15-month period. ### Metrics categories Within the free and advanced tiers, S3 Storage Lens metrics are organized into categories that align with key use cases, such as cost optimization and data protection. Free metrics include summary, cost optimization, data protection, access management, performance, and event metrics. When you upgrade to advanced metrics, you can enable additional cost optimization and data protection metrics that you can use to further reduce your S3 storage costs and ensure your data is protected. You can also enable activity metrics and detailed status-code metrics that you can use to improve the performance of application workflows. The following list shows all of the free and advanced metric categories. For a complete list of the individual metrics included in each category, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). **Summary metrics** Summary metrics provide general insights about your S3 storage, including your total storage bytes and object count. **Cost optimization metrics** Cost optimization metrics provide insights that you can use to manage and optimize your storage costs. For example, you can identify buckets that have incomplete multipart uploads that are more than 7-days old. With advanced metrics, you can enable advanced cost optimization metrics. These metrics include S3 Lifecycle rule count metrics that you can use to get per-bucket expiration and transition S3 Lifecycle rule counts. **Data-protection metrics** Data-protection metrics provide insights for data protection features, such as encryption and S3 Versioning. You can use these metrics to identify buckets that are not following data protection best practices. For example, you can identify buckets that are not using default encryption with AWS Key Management Service keys (SSE-KMS) or S3 Versioning. With advanced metrics, you can enable advanced data protection metrics. These metrics include per-bucket replication rule count metrics. **Access management metrics** Access management metrics provide insights for S3 Object Ownership. You can use these metrics to see which Object Ownership settings your buckets use. **Event metrics** Event metrics provide insights for S3 Event Notifications. With event metrics, you can see which buckets have S3 Event Notifications configured. **Performance metrics** Performance metrics provide insights for S3 Transfer Acceleration. With performance metrics, you can see which buckets have Transfer Acceleration enabled. **Activity metrics (advanced)** If you upgrade your dashboard to the **Advanced tier**, you can enable activity metrics. Activity metrics provide details about how your storage is requested (for example, all requests, Get requests, Put requests), bytes uploaded or downloaded, and errors. Prefix-level activity metrics can be used to help you determine which prefixes are being used infrequently, so that you can [transition to a more optimal storage class using S3 Lifecycle](lifecycle-transition-general-considerations.md). **Detailed status code metrics (advanced)** If you upgrade your dashboard to the **Advanced tier**, you can enable detailed status code metrics. Detailed status code metrics provide insights for HTTP status codes, such as 403 Forbidden and 503 Service Unavailable, that you can use to troubleshoot access or performance issues. For example, you can look at the **403 Forbidden error count** metric to identify workloads that are accessing buckets without the correct permissions applied. Prefix-level detailed status code metrics can be used to gain a better understanding of the HTTP status code occurrences by prefix. For example, 503 error count metrics enable you to identify prefixes receiving throttling requests during data ingestion. **Advanced cost optimization metrics** Advanced cost optimization metrics provide detailed insights into your S3 lifecycle management configurations to help you optimize storage costs through automated data transitions and deletions. These metrics track the number of lifecycle rules configured across different lifecycle rule types. You can use these metrics to ensure comprehensive lifecycle rule coverage across your buckets and identify opportunities to implement additional cost optimization strategies through automated data management. **Advanced data protection metrics** Advanced data protection metrics help you protect your data by providing insights into replication rule counts, SSE-KMS encryption usage, and security vulnerabilities such as unsupported signature and TLS requests. (**Note:** Replication rule count metrics aren't available for prefixes.) This visibility enables you to ensure proper data redundancy, validate encryption compliance, identify security risks from outdated protocols, troubleshoot replication misconfigurations, and maintain robust data protection strategies at the organization, account, and bucket levels. **Advanced performance metrics** Advanced performance metrics reveal how your applications interact with data in S3 and can help identify opportunities to optimize application performance such as inefficient I/O patterns, cross-region access, and unique object access count. Storage Lens advanced performance metrics eliminates the need for expensive custom monitoring tools and enables customers to implement S3 best practices more effectively, particularly benefiting performance sensitive applications such as machine learning training, data analytics, and other high-performance compute workloads. ### Recommendations S3 Storage Lens provides automated recommendations to help you optimize your storage. Recommendations are placed contextually alongside relevant metrics in the S3 Storage Lens dashboard. Historical data is not eligible for recommendations because recommendations are relevant to what is happening in the most recent period. Recommendations appear only when they are relevant. S3 Storage Lens recommendations come in the following forms: + **Suggestions** Suggestions alert you to trends within your storage and activity that might indicate a storage-cost optimization opportunity or a data protection best practice. You can use the suggested topics in the *Amazon S3 User Guide* and the S3 Storage Lens dashboard to drill down for more details about the specific Regions, buckets, or prefixes. + **Call-outs** Call-outs are recommendations that alert you to interesting anomalies within your storage and activity over a period that might need further attention or monitoring. + **Outlier call-outs** S3 Storage Lens provides call-outs for metrics that are outliers, based on your recent 30-day trend. The outlier is calculated by using a standard score, also known as a *z-score*. In this score, the current day's metric is subtracted from the average of the last 30 days for that metric. The current day's metric is then divided by the standard deviation for that metric over the last 30 days. The resulting score is usually between -3 and \$13. This number represents the number of standard deviations that the current day's metric is from the mean. S3 Storage Lens considers metrics with a score >2 or <-2 to be outliers because they are higher or lower than 95 percent of normally distributed data. + **Significant change call-outs** The significant change call-out applies to metrics that are expected to change less frequently. Therefore, it's set to a higher sensitivity than the outlier calculation, which is typically in the range of \$1/- 20 percent versus the prior day, week, or month. **Addressing call-outs in your storage and activity** – If you receive a significant change call-out, it’s not necessarily a problem. The call-out could be the result of an anticipated change in your storage. For example, you might have recently added a large number of new objects, deleted a large number of objects, or made similar planned changes. If you see a significant change call-out on your dashboard, take note of it and determine whether it can be explained by recent circumstances. If not, use the S3 Storage Lens dashboard to drill down for more details to understand the specific Regions, buckets, or prefixes that are driving the fluctuation. + **Reminders** Reminders provide insights into how Amazon S3 works. They can help you learn more about ways to use S3 features to reduce storage costs or apply data protection best practices. ### Metrics selection S3 Storage Lens offers two metrics selections that you can choose for your dashboard and export: *free tier* and *advanced tier*. + **Free tier** S3 Storage Lens offers free metrics for all dashboards and configurations. Free metrics contain metrics that are relevant to your storage, such as the number of buckets and the objects in your account. Free metrics also include use-case based metrics (for example, cost optimization and data protection metrics) that you can use to investigate whether your storage is configured according to S3 best practices. All free tier metrics are collected daily and can be exported to either an S3 general purpose bucket (CSV or Parquet format) or S3 table bucket (Parquet format only). Data is available for queries for 14 days in the Amazon S3 console. For more information about which metrics are available with free metrics, see the [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). + **Advanced tier** S3 Storage Lens offers free metrics for all dashboards and configurations with the option to upgrade to advanced metrics. Additional charges apply. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). Advanced tier metrics include all the metrics in free metrics along with additional metrics, such as advanced data protection and cost optimization metrics, activity metrics, and detailed status-code metrics. Advanced tier metrics also provide recommendations to help you optimize your storage. Recommendations are placed contextually alongside relevant metrics in the dashboard. Advanced tier includes the following features: + **Advanced metrics categories** – Generate additional metrics. For a complete list of advanced metric categories, see [Metrics categories](#storage_lens_basics_metrics_types). For a complete list of metrics, see the [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). + **Amazon CloudWatch publishing** – Publishes S3 Storage Lens metrics to CloudWatch to create a unified view of your operational health in CloudWatch [dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). You can also use CloudWatch API operations and features, such as alarms and triggered actions, metric math, and anomaly detection, to monitor and take action on S3 Storage Lens metrics. For more information, see [Monitor S3 Storage Lens metrics in CloudWatch](storage_lens_view_metrics_cloudwatch.md). + **Default metrics report** – The default metrics report in S3 Storage Lens includes free metrics and prefix aggregation capabilities for top prefixes for object storage usage and activity trends across your AWS accounts. With the default metrics report, you can identify cost optimization opportunities at no additional charge beyond standard S3 storage costs. + **Expanded prefixes metrics report** – The Storage Lens expanded prefixes metrics report provides comprehensive prefix-level analytics across your entire S3 storage data, expanding coverage to support up to billions of prefixes per bucket. + **Additional metrics aggregation** + **Prefix aggregation** – Collects metrics at the [prefix](using-prefixes.md) level. This setting specifies the prefixes aggregated as part of the default metrics report, which is displayed in the Storage Lens dashboard. Note that metrics that are applicable at the prefix level are available with **Prefix aggregation**, except for bucket-level settings and rule count metrics. Prefix-level metrics don't apply to the expanded prefixes metrics export and aren't published to CloudWatch. + **Storage Lens group aggregation** – Collects metrics at the Storage Lens group level. After you enable the advanced tier metrics and Storage Lens group aggregation, you can specify which Storage Lens groups to include or exclude from your Storage Lens dashboard. At least one Storage Lens group must be specified. Storage Lens groups that are specified must also reside within the designated home Region in the dashboard account. Storage Lens group-level metrics are not published to CloudWatch. All advanced metrics are collected daily. Data is available for querying for up to 15 months in the Amazon S3 console. For more information about the storage metrics that are aggregated by S3 Storage Lens, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). ### Prefix delimiter Prefix delimiters determine how Storage Lens counts prefix depth, by separating the hierarchical levels within object keys. You can only specify a single character to indicate each level within your prefixes. If the prefix delimiter is undefined, Amazon S3 uses "`/`" as the default delimiter. **Note** When you're updating your Storage Lens dashboard configuration via API, the *delimiter* and the updated *prefix delimiter* must be defined in the same way, or you'll receive an error. The delimiter only applies to prefix-level metrics that are exported to the default metrics report. The prefix delimiter applies to all prefixes that are exported to the expanded prefixes metrics report. ### S3 Storage Lens and AWS Organizations AWS Organizations is an AWS service that helps you aggregate all of your AWS accounts under one organization hierarchy. Amazon S3 Storage Lens works with AWS Organizations to provide a single view of object storage and activity across your Amazon S3 storage. For more information, see [Using Amazon S3 Storage Lens with AWS OrganizationsEnabling trusted access for S3 Storage Lens](storage_lens_with_organizations.md). + **Trusted access** Using your organization's management account, you must enable trusted access for S3 Storage Lens to aggregate storage metrics and usage data for all member accounts in your organization. You can then create dashboards or exports for your organization by using your management account or by giving delegated administrator access to other accounts in your organization. You can disable trusted access for S3 Storage Lens at any time, which stops S3 Storage Lens from aggregating metrics for your organization. + **Delegated administrator** You can create dashboards and metrics for S3 Storage Lens for your organization by using your AWS Organizations management account, or by giving *delegated administrator* access to other accounts in your organization. You can deregister delegated administrators at any time. Deregistering a delegated administrator also automatically stops all organization-level dashboards created by that delegated administrator from aggregating new storage metrics. For more information, see [Amazon S3 Storage Lens and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-s3lens.html) in the *AWS Organizations User Guide*. #### Amazon S3 Storage Lens service-linked roles Along with AWS Organizations trusted access, Amazon S3 Storage Lens uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that's linked directly to S3 Storage Lens. Service-linked roles are predefined by S3 Storage Lens and include all the permissions that it requires to collect daily storage and activity metrics from member accounts in your organization. For more information, see [Using service-linked roles for Amazon S3 Storage Lens](using-service-linked-roles.md). # Amazon S3 Storage Lens metrics glossary Metrics glossary The Amazon S3 Storage Lens metrics glossary provides a complete list of free and advanced metrics for S3 Storage Lens. S3 Storage Lens offers free metrics for all dashboards and configurations, with the option to upgrade to advanced metrics. + **Free metrics** contain metrics that are relevant to your storage usage, such as the number of buckets and the objects in your account. Free metrics also include use-case based metrics, such as cost-optimization and data-protection metrics. All free metrics are collected daily, and data is available for queries for up to 14 days. + **Advanced metrics** include all the metrics in free metrics along with additional metrics, such as advanced performance, advanced data protection, and advanced cost optimization metrics. Advanced metrics also include additional metric categories, such as activity metrics and detailed status-code metrics. Advanced metrics data is available for queries for 15 months. There are additional charges when you use S3 Storage Lens with advanced metrics and recommendations. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). For more information about advanced metrics and recommendations features, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). **Note** For Storage Lens groups, only free tier storage metrics are available. Advanced tier metrics are not available at the Storage Lens group level. **Metric names** The **Metric name** column in the following table provides the name of each S3 Storage Lens in the S3 console. The **CloudWatch and export** column provides the name of each metric in Amazon CloudWatch and the metrics export file that you can configure in your S3 Storage Lens dashboard. **Derived metric formulas** Derived metrics are not available for the metrics export and the CloudWatch publishing option. However, you can use the metrics formulas shown in the **Derived metrics formula** column to compute them. **Interpreting the Amazon S3 Storage Lens prefix symbols for metrics unit multiples (K, M, G, and so on)** S3 Storage Lens metrics unit multiples are written with prefix symbols. These prefix symbols match the International System of Units (SI) symbols that are standardized by the International Bureau of Weights and Measures (BIPM). These symbols are also used in the Unified Code for Units of Measure (UCUM). For more information, see [List of SI prefix symbols](https://www.bipm.org/en/measurement-units/si-prefixes). **Note** The unit of measurement for S3 storage bytes is in binary gigabytes (GB), where 1 GB is 230 bytes, 1 TB is 240 bytes, and 1 PB is 250 bytes. This unit of measurement is also known as a gibibyte (GiB), as defined by the International Electrotechnical Commission (IEC). When an object reaches the end of its lifetime based on its lifecycle configuration, Amazon S3 queues the object for removal and removes it asynchronously. Therefore, there might be a delay between the expiration date and the date when Amazon S3 removes an object. S3 Storage Lens doesn't include metrics for objects that have expired but haven't been removed. For more information about expiration actions in S3 Lifecycle, see [Expiring objects](lifecycle-expire-general-considerations.md). Amazon S3 stores metadata (object key, timestamps, etc.) for every object, which requires minimum storage even for 0KB data files. This is why 0KB objects appear in the (0KB-128KB] size range in S3 Storage Lens. S3 Storage Lens provides best-effort tracking of cross-region data transfers, primarily focusing on requests from customer-managed resources like EC2 instances. Requests made through AWS PrivateLink or certain in-Region requests are unclassified. The following table shows the S3 Storage Lens metrics glossary. | Metric name | CloudWatch and export | Description | Tier1 | Category2 | Derived | Derived metric formula | Storage Lens groups | | --- | --- | --- | --- | --- | --- | --- | --- | | Total storage | StorageBytes | Total storage, inclusive of incomplete multipart uploads, object metadata, and delete markers | Free | Summary | N | - | Y | | Object count | ObjectCount | Total object count | Free | Summary | N | - | Y | | Average object size | - | Average object size | Free | Summary | Y | sum(StorageBytes)/sum(ObjectCount) | Y | | Active buckets | - | Number of buckets with storage > 0 bytes | Free | Summary | Y | - | Y | | Buckets | - | Number of buckets | Free | Summary | Y | - | Y | | Accounts | - | Number of accounts whose storage is in scope | Free | Summary | Y | - | Y | | Current version bytes | CurrentVersionStorageBytes | Number of bytes that are a current version of an object | Free | Cost optimization | N | - | Y | | % current version bytes | - | Percentage of bytes in scope that are current versions of objects | Free | Cost optimization | Y | sum(CurrentVersionStorageBytes)/sum(StorageBytes) | Y | | Current version object count | CurrentVersionObjectCount | Number of current version objects | Free | Data protection | N | - | Y | | % current version objects | - | Percentage of objects in scope that are a current version | Free | Cost optimization | Y | sum(CurrentVersionObjectCount)/sum(ObjectCount) | Y | | Noncurrent version bytes | NonCurrentVersionStorageBytes | Number of noncurrent version bytes | Free | Cost optimization | N | - | Y | | % noncurrent version bytes | - | Percentage of bytes in scope that are noncurrent versions | Free | Cost optimization | Y | sum(NonCurrentVersionStorageBytes)/sum(StorageBytes) | Y | | Noncurrent version object count | NonCurrentVersionObjectCount | Number of the noncurrent object versions | Free | Cost optimization | N | - | Y | | % noncurrent version objects | - | Percentage of objects in scope that are a noncurrent version | Free | Cost optimization | Y | sum(NonCurrentVersionObjectCount)/sum(ObjectCount) | Y | | Delete marker bytes | DeleteMarkerStorageBytes | Number of bytes in scope that are delete markers | Free | Cost optimization | N | - | Y | | % delete marker bytes | - | Percentage of bytes in scope that are delete markers | Free | Cost optimization | Y | sum(DeleteMarkerStorageBytes)/sum(StorageBytes) | Y | | Delete marker object count | DeleteMarkerObjectCount | Number of objects with a delete marker | Free | Cost optimization | N | - | Y | | % delete marker objects | - | Percentage of objects in scope with a delete marker | Free | Cost optimization | Y | sum(DeleteMarkerObjectCount)/sum(ObjectCount) | Y | | Incomplete multipart upload bytes | IncompleteMultipartUploadStorageBytes | Total bytes in scope for incomplete multipart uploads | Free | Cost optimization | N | - | Y | | % incomplete multipart upload bytes | - | Percentage of bytes in scope that are the result of incomplete multipart uploads | Free | Cost optimization | Y | sum(IncompleteMultipartUploadStorageBytes)/sum(StorageBytes) | Y | | Incomplete multipart upload object count | IncompleteMultipartUploadObjectCount | Number of objects in scope that are incomplete multipart uploads | Free | Cost optimization | N | - | Y | | % incomplete multipart upload objects | - | Percentage of objects in scope that are incomplete multipart uploads | Free | Cost optimization | Y | sum(IncompleteMultipartUploadObjectCount)/sum(ObjectCount) | Y | | Incomplete multipart upload storage bytes greater than 7 days old | IncompleteMPUStorageBytesOlderThan7Days | Total bytes in scope for incomplete multipart uploads that are more than 7 days old | Free | Cost optimization | N | - | Y | | % incomplete multipart upload storage bytes greater than 7 days old | - | Percentage of bytes for incomplete multipart uploads that are more than 7 days old | Free | Cost optimization | Y | sum(IncompleteMPUStorageBytesOlderThan7Days)/sum(StorageBytes) | Y | | Incomplete multipart upload object count greater than 7 days old | IncompleteMPUObjectCountOlderThan7Days | Number of objects that are incomplete multipart uploads more than 7 days old | Free | Cost optimization | N | - | Y | | % incomplete multipart upload object count greater than 7 days old | - | Percentage of objects that are incomplete multipart uploads more than 7 days old | Free | Cost optimization | Y | sum(IncompleteMPUObjectCountOlderThan7Days)/sum(ObjectCount) | Y | | Transition lifecycle rule count | TransitionLifecycleRuleCount | Number of lifecycle rules to transition objects to another storage class | Advanced | Cost optimization | N | - | N | | Average transition lifecycle rules per bucket | - | Average number of lifecycle rules to transition objects to another storage class | Advanced | Cost optimization | Y | sum(TransitionLifecycleRuleCount)/sum(DistinctNumberOfBuckets) | N | | Expiration lifecycle rule count | ExpirationLifecycleRuleCount | Number of lifecycle rules to expire objects | Advanced | Cost optimization | N | - | N | | Average expiration lifecycle rules per bucket | - | Average number of lifecycle rules to expire objects | Advanced | Cost optimization | Y | sum(ExpirationLifecycleRuleCount)/sum(DistinctNumberOfBuckets) | N | | Noncurrent version transition lifecycle rule count | NoncurrentVersionTransitionLifecycleRuleCount | Number of lifecycle rules to transition noncurrent object versions to another storage class | Advanced | Cost optimization | N | | N | | Average noncurrent version transition lifecycle rules per bucket | - | Average number of lifecycle rules to transition noncurrent object versions to another storage class | Advanced | Cost optimization | Y | sum(NoncurrentVersionTransitionLifecycleRuleCount)/sum(DistinctNumberOfBuckets) | N | | Noncurrent version expiration lifecycle rule count | NoncurrentVersionExpirationLifecycleRuleCount | Number of lifecycle rules to expire noncurrent object versions | Advanced | Cost optimization | N | - | N | | Average noncurrent version expiration lifecycle rules per bucket | - | Average number of lifecycle rules to expire noncurrent object versions | Advanced | Cost optimization | Y | sum(NoncurrentVersionExpirationLifecycleRuleCount)/sum(DistinctNumberOfBuckets) | N | | Abort incomplete multipart upload lifecycle rule count | AbortIncompleteMPULifecycleRuleCount | Number of lifecycle rules to delete incomplete multipart uploads | Advanced | Cost optimization | N | - | N | | Average abort incomplete multipart upload lifecycle rules per bucket | - | Average number of lifecycle rules to delete incomplete multipart uploads | Advanced | Cost optimization | Y | sum(AbortIncompleteMPULifecycleRuleCount)/sum(DistinctNumberOfBuckets) | N | | Expired object delete marker lifecycle rule count | ExpiredObjectDeleteMarkerLifecycleRuleCount | Number of lifecycle rules to remove expired object delete markers | Advanced | Cost optimization | N | - | N | | Average expired object delete marker lifecycle rules per bucket | - | Average number of lifecycle rules to remove expired object delete markers | Advanced | Cost optimization | Y | sum(ExpiredObjectDeleteMarkerLifecycleRuleCount)/sum(DistinctNumberOfBuckets) | N | | Total lifecycle rule count | TotalLifecycleRuleCount | Number of lifecycle rules | Advanced | Cost optimization | N | - | N | | Average lifecycle rule count per bucket | - | Average number of lifecycle rules | Advanced | Cost optimization | Y | sum(TotalLifecycleRuleCount)/sum(DistinctNumberOfBuckets) | N | | Encrypted bytes | EncryptedStorageBytes | Number of encrypted bytes | Free | Data protection | N | - | Y | | % encrypted bytes | - | Percentage of total bytes that are encrypted | Free | Data protection | Y | sum(EncryptedObjectCount)/sum(StorageBytes) | Y | | Encrypted object count | EncryptedObjectCount | Number of objects that are encrypted | Free | Data protection | N | - | Y | | % encrypted objects | - | Percentage of objects that are encrypted | Free | Data protection | Y | sum(EncryptedStorageBytes)/sum(ObjectCount) | Y | | Unencrypted bytes | UnencryptedStorageBytes | Number of bytes that are unencrypted | Free | Data protection | Y | sum(StorageBytes) - sum(EncryptedStorageBytes) | Y | | % unencrypted bytes | - | Percentage of bytes that are unencrypted | Free | Data protection | Y | sum(UnencryptedStorageBytes)/sum(StorageBytes) | Y | | Unencrypted object count | UnencryptedObjectCount | Number of objects that are unencrypted | Free | Data protection | Y | sum(ObjectCount) - sum(EncryptedObjectCount) | Y | | % unencrypted objects | - | Percentage of unencrypted objects | Free | Data protection | Y | sum(UnencryptedObjectCount)/sum(ObjectCount) | Y | | Replicated storage bytes source | ReplicatedStorageBytesSource | Number of bytes that are replicated from the source bucket | Free | Data protection | N | - | Y | | % replicated bytes source | - | Percentage of total bytes that are replicated from the source bucket | Free | Data protection | Y | sum(ReplicatedStorageBytesSource)/sum(StorageBytes) | Y | | Replicated object count source | ReplicatedObjectCountSource | Number of replicated objects from the source bucket | Free | Data protection | N | - | Y | | % replicated objects source | - | Percentage of total objects that are replicated from the source bucket | Free | Data protection | Y | sum(ReplicatedStorageObjectCount)/sum(ObjectCount) | Y | | Replicated storage bytes destination | ReplicatedStorageBytes | Number of bytes that are replicated to the destination bucket | Free | Data protection | N | - | N | | % replicated bytes destination | - | Percentage of total bytes that are replicated to the destination bucket | Free | Data protection | Y | sum(ReplicatedStorageBytes)/sum(StorageBytes) | Y | | Replicated object count destination | ReplicatedObjectCount | Number of objects that are replicated to the destination bucket | Free | Data protection | N | - | Y | | % replicated objects destination | - | Percentage of total objects that are replicated to the destination bucket | Free | Data protection | Y | sum(ReplicatedObjectCount)/sum(ObjectCount) | Y | | Object Lock bytes | ObjectLockEnabledStorageBytes | Number of Object Lock enabled storage bytes | Free | Data protection | N | sum(UnencryptedStorageBytes)/sum(ObjectLockEnabledStorageCount)-sum(ObjectLockEnabledStorageBytes) | Y | | % Object Lock bytes | - | Percentage of Object Lock enabled storage bytes | Free | Data protection | Y | sum(ObjectLockEnabledStorageBytes)/sum(StorageBytes) | Y | | Object Lock object count | ObjectLockEnabledObjectCount | Number of Object Lock objects | Free | Data protection | N | - | Y | | % Object Lock objects | - | Percentage of total objects that have Object Lock enabled | Free | Data protection | Y | sum(ObjectLockEnabledObjectCount)/sum(ObjectCount) | Y | | Versioning-enabled bucket count | VersioningEnabledBucketCount | Number of buckets that have S3 Versioning enabled | Free | Data protection | N | - | N | | % versioning-enabled buckets | - | Percentage of buckets that have S3 Versioning enabled | Free | Data protection | Y | sum(VersioningEnabledBucketCount)/sum(DistinctNumberOfBuckets) | N | | MFA delete-enabled bucket count | MFADeleteEnabledBucketCount | Number of buckets that have MFA (multi-factor authentication) delete enabled | Free | Data protection | N | - | N | | % MFA delete-enabled buckets | - | Percentage of buckets that have MFA (multi-factor authentication) delete enabled | Free | Data protection | Y | sum(MFADeleteEnabledBucketCount)/sum(DistinctNumberOfBuckets) | N | | SSE-KMS enabled bucket count | SSEKMSEnabledBucketCount | Number of buckets that use server-side encryption with AWS Key Management Service keys (SSE-KMS) for default bucket encryption | Free | Data protection | N | - | N | | % SSE-KMS enabled buckets | - | Percentage of buckets that SSE-KMS for default bucket encryption | Free | Data protection | Y | sum(SSEKMSEnabledBucketCount)/sum(DistinctNumberOfBuckets) | N | | All unsupported signature requests | AllUnsupportedSignatureRequests | Total number of requests that use unsupported AWS signature versions | Advanced | Data protection | N | - | N | | % all unsupported signature requests | - | Percentage of requests that use unsupported AWS signature versions | Advanced | Data protection | Y | sum(AllUnsupportedSignatureRequests)/sum(AllRequests) | N | | All unsupported TLS requests | AllUnsupportedTLSRequests | Total number of requests that use unsupported Transport Layer Security (TLS) versions | Advanced | Data protection | N | - | N | | % all unsupported TLS requests | - | Percentage of requests that use unsupported TLS versions | Advanced | Data protection | Y | sum(AllUnsupportedTLSRequests)/sum(AllRequests) | N | | All SSE-KMS requests | AllSSEKMSRequests | Total number of requests that specify SSE-KMS | Advanced | Data protection | N | - | N | | % all SSE-KMS requests | - | Percentage of requests that specify SSE-KMS | Advanced | Data protection | Y | sum(AllSSEKMSRequests)/sum(AllRequests) | N | | Same-Region Replication rule count | SameRegionReplicationRuleCount | Number of replication rules for Same-Region Replication (SRR) | Advanced | Data protection | N | - | N | | Average Same-Region Replication rules per bucket | - | Average number of replication rules for SRR | Advanced | Data protection | Y | sum(SameRegionReplicationRuleCount)/sum(DistinctNumberOfBuckets) | N | | Cross-Region Replication rule count | CrossRegionReplicationRuleCount | Number of replication rules for Cross-Region Replication (CRR) | Advanced | Data protection | N | - | N | | Average Cross-Region Replication rules per bucket | - | Average number of replication rules for CRR | Advanced | Data protection | Y | sum(CrossRegionReplicationRuleCount)/sum(DistinctNumberOfBuckets) | N | | Same-account replication rule count | SameAccountReplicationRuleCount | Number of replication rules for replication within the same account | Advanced | Data protection | N | - | N | | Average same-account replication rules per bucket | - | Average number of replication rules for replication within the same account | Advanced | Data protection | Y | sum(SameAccountReplicationRuleCount)/sum(DistinctNumberOfBuckets) | N | | Cross-account replication rule count | CrossAccountReplicationRuleCount | Number of replication rules for cross-account replication | Advanced | Data protection | N | - | N | | Average cross-account replication rules per bucket | - | Average number of replication rules for cross-account replication | Advanced | Data protection | Y | sum(CrossAccountReplicationRuleCount)/sum(DistinctNumberOfBuckets) | N | | Invalid destination replication rule count | InvalidDestinationReplicationRuleCount | Number of replication rules with a replication destination that's not valid | Advanced | Data protection | N | - | N | | Average invalid destination replication rules per bucket | - | Average number of replication rules with a replication destination that's not valid | Advanced | Data protection | Y | sum(InvalidReplicationRuleCount)/sum(DistinctNumberOfBuckets) | N | | Total replication rule count | - | Total replication rule count | Advanced | Data protection | Y | - | N | | Average replication rule count per bucket | - | Average total replication rule count | Advanced | Data protection | Y | sum(all replication rule count metrics)/sum(DistinctNumberOfBuckets) | N | | Object Ownership bucket owner enforced bucket count | ObjectOwnershipBucketOwnerEnforcedBucketCount | Number of buckets that have access control lists (ACLs) disabled by using the bucket owner enforced setting for Object Ownership | Free | Access management | N | - | N | | % Object Ownership bucket owner enforced buckets | - | Percentage of buckets that have ACLs disabled by using the bucket owner enforced setting for Object Ownership | Free | Access management | Y | sum(ObjectOwnershipBucketOwnerEnforcedBucketCount)/sum(DistinctNumberOfBuckets) | N | | Object Ownership bucket owner preferred bucket count | ObjectOwnershipBucketOwnerPreferredBucketCount | Number of buckets that use the bucket owner preferred setting for Object Ownership | Free | Access management | N | - | N | | % Object Ownership bucket owner preferred buckets | - | Percentage of buckets that use the bucket owner preferred setting for Object Ownership | Free | Access management | Y | sum(ObjectOwnershipBucketOwnerPreferredBucketCount)/sum(DistinctNumberOfBuckets) | N | | Object Ownership object writer bucket count | ObjectOwnershipObjectWriterBucketCount | Number of buckets that use the object writer setting for Object Ownership | Free | Access management | N | - | N | | % Object Ownership object writer buckets | - | Percentage of buckets that use the object writer setting for Object Ownership | Free | Access management | Y | sum(ObjectOwnershipObjectWriterBucketCount)/sum(DistinctNumberOfBuckets) | N | | Transfer Acceleration enabled bucket count | TransferAccelerationEnabledBucketCount | Number of buckets that have Transfer Acceleration enabled | Free | Performance | N | - | N | | % Transfer Acceleration enabled buckets | - | Percentage of buckets that have Transfer Acceleration enabled | Free | Performance | Y | sum(TransferAccelerationEnabledBucketCount)/sum(DistinctNumberOfBuckets) | N | | Event Notification enabled bucket count | EventNotificationEnabledBucketCount | Number of buckets that have Event Notifications enabled | Free | Events | N | | N | | % Event Notification enabled buckets | - | Percentage of buckets that have Event Notifications enabled | Free | Events | Y | sum(EventNotificationEnabledBucketCount)/sum(DistinctNumberOfBuckets) | N | | All requests | AllRequests | Total number of requests made | Advanced | Activity | N | - | N | | Get requests | GetRequests | Total number of `GET` requests made | Advanced | Activity | N | - | N | | Put requests | PutRequests | Total number of `PUT` requests made | Advanced | Activity | N | - | N | | Head requests | HeadRequests | Number of HEAD requests made | Advanced | Activity | N | - | N | | Delete requests | DeleteRequests | Number of DELETE requests made | Advanced | Activity | N | - | N | | List requests | ListRequests | Number of LIST requests made | Advanced | Activity | N | - | N | | Post requests | PostRequests | Number of POST requests made | Advanced | Activity | N | - | N | | Select requests | SelectRequests | Number of S3 Select requests | Advanced | Activity | N | - | N | | Select scanned bytes | SelectScannedBytes | Number of S3 Select bytes scanned | Advanced | Activity | N | - | N | | Select returned bytes | SelectReturnedBytes | Number of S3 Select bytes returned | Advanced | Activity | N | - | N | | Bytes downloaded | BytesDownloaded | Number of bytes downloaded | Advanced | Activity | N | - | N | | % retrieval rate | - | Percentage of bytes downloaded | Advanced | Activity | Y | sum(BytesDownloaded)/sum(StorageBytes) | N | | Bytes uploaded | BytesUploaded | Number of bytes uploaded | Advanced | Activity | N | - | N | | % ingest ratio | - | Percentage of bytes uploaded | Advanced | Activity | Y | sum(BytesUploaded)/sum(StorageBytes) | N | | 4xx errors | 4xxErrors | Number of HTTP 4xx status codes | Advanced | Activity | N | - | N | | 5xx errors | 5xxErrors | Number of HTTP 5xx status codes | Advanced | Activity | N | - | N | | Total errors | - | The sum of all 4xx and 5xx errors | Advanced | Activity | Y | sum(4xxErrors) \$1 sum(5xxErrors) | N | | % error rate | - | Total number of 4xx and 5xx errors as a percentage of total requests | Advanced | Activity | Y | sum(TotalErrors)/sum(TotalRequests) | N | | 200 OK status count | 200OKStatusCount | Number of 200 OK status codes | Advanced | Detailed status code | N | - | N | | % 200 OK status | - | Total number of 200 OK status codes as a percentage of total requests | Advanced | Detailed status code | Y | sum(200OKStatusCount)/sum(AllRequests) | N | | 206 Partial Content status count | 206PartialContentStatusCount | Number of 206 Partial Content status codes | Advanced | Detailed status code | N | - | N | | % 206 Partial Content status | - | Number of 206 Partial Content status codes as a percentage of total requests | Advanced | Detailed status code | Y | sum(206PartialContentStatusCount)/sum(AllRequests) | N | | 400 Bad Request error count | 400BadRequestErrorCount | Number of 400 Bad Request status codes | Advanced | Detailed status code | N | - | N | | % 400 Bad Request errors | - | Number of 400 Bad Request status codes as a percentage of total requests | Advanced | Detailed status code | Y | sum(400BadRequestErrorCount)/sum(AllRequests) | N | | 403 Forbidden error count | 403ForbiddenErrorCount | Number of 403 Forbidden status codes | Advanced | Detailed status code | N | - | N | | % 403 Forbidden errors | - | Number of 403 Forbidden status codes as a percentage of total requests | Advanced | Detailed status code | Y | sum(403ForbiddenErrorCount)/sum(AllRequests) | N | | 404 Not Found error count | 404NotFoundErrorCount | Number of 404 Not Found status codes | Advanced | Detailed status code | N | - | N | | % 404 Not Found errors | - | Number of 404 Not Found status codes as a percentage of total requests | Advanced | Detailed status code | Y | sum(404NotFoundErrorCount)/sum(AllRequests) | N | | 500 Internal Server Error count | 500InternalServerErrorCount | Number of 500 Internal Server Error status codes | Advanced | Detailed status code | N | - | N | | % 500 Internal Server Errors | - | Number of 500 Internal Server Error status codes as a percentage of total requests | Advanced | Detailed status code | Y | sum(500InternalServerErrorCount)/sum(AllRequests) | N | | 503 Service Unavailable error count | 503ServiceUnavailableErrorCount | Number of 503 Service Unavailable status codes | Advanced | Detailed status code | N | - | N | | % 503 Service Unavailable errors | - | Number of 503 Service Unavailable status codes as a percentage of total requests | Advanced | Detailed status code | Y | sum(503ServiceUnavailableErrorCount)/sum(AllRequests) | N | 1 All free tier storage metrics are available at the Storage Lens group level. Advanced tier metrics are not available at the Storage Lens group level. 2 Rule count metrics and bucket settings metrics aren't available at the prefix level. The following table shows the performance metrics available in S3 Storage Lens and their availability in CloudWatch: | **Metric name** | **CloudWatch and export** | **Description** | **Tier** | **Category** | **Derived** | **Derived metric formula** | **Storage Lens groups** | | --- | --- | --- | --- | --- | --- | --- | --- | | Average First Byte Latency | AverageFirstByteLatency | Average per-request time between when an Amazon S3 bucket receives a complete request and when it starts returning the response, measured over the past 24 hours | Advanced | Performance | N | - | N | | Average Total Request Latency | AverageTotalRequestLatency | Average elapsed per-request time between the first byte received and the last byte sent to an Amazon S3 bucket, measured over the past 24 hours | Advanced | Performance | N | - | N | | Read 0KB request count | Read0KBRequestCount\$1 | Number of GetObject requests with data sizes of 0KB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 0KB to 128KB request count | Read0KBTo128KBRequestCount\$1 | Number of GetObject requests with data sizes greater than 0KB and up to 128KB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 128KB to 256KB request count | Read128KBTo256KBRequestCount\$1 | Number of GetObject requests with data sizes greater than 128KB and up to 256KB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 256KB to 512KB request count | Read256KBTo512KBRequestCount\$1 | Number of GetObject requests with data sizes greater than 256KB and up to 512KB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 512KB to 1MB request count | Read512KBTo1MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 512KB and up to 1MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 1MB to 2MB request count | Read1MBTo2MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 1MB and up to 2MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 2MB to 4MB request count | Read2MBTo4MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 2MB and up to 4MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 4MB to 8MB request count | Read4MBTo8MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 4MB and up to 8MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 8MB to 16MB request count | Read8MBTo16MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 8MB and up to 16MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 16MB to 32MB request count | Read16MBTo32MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 16MB and up to 32MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 32MB to 64MB request count | Read32MBTo64MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 32MB and up to 64MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 64MB to 128MB request count | Read64MBTo128MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 64MB and up to 128MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 128MB to 256MB request count | Read128MBTo256MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 128MB and up to 256MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 256MB to 512MB request count | Read256MBTo512MBRequestCount\$1 | Number of GetObject requests with data sizes greater than 256MB and up to 512MB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 512MB to 1GB request count | Read512MBTo1GBRequestCount\$1 | Number of GetObject requests with data sizes greater than 512MB and up to 1GB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 1GB to 2GB request count | Read1GBTo2GBRequestCount\$1 | Number of GetObject requests with data sizes greater than 1GB and up to 2GB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 2GB to 4GB request count | Read2GBTo4GBRequestCount\$1 | Number of GetObject requests with data sizes greater than 2GB and up to 4GB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Read 4GB\$1 request count | ReadLargerThan4GBRequestCount\$1 | Number of GetObject requests with data sizes greater than 4GB, including both range-based requests and whole object requests | Advanced | Performance | N | - | N | | Write 0KB request count | Write0KBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes of 0KB | Advanced | Performance | N | - | N | | Write 0KB to 128KB request count | Write0KBTo128KBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 0KB and up to 128KB | Advanced | Performance | N | - | N | | Write 128KB to 256KB request count | Write128KBTo256KBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 128KB and up to 256KB | Advanced | Performance | N | - | N | | Write 256KB to 512KB request count | Write256KBTo512KBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 256KB and up to 512KB | Advanced | Performance | N | - | N | | Write 512KB to 1MB request count | Write512KBTo1MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 512KB and up to 1MB | Advanced | Performance | N | - | N | | Write 1MB to 2MB request count | Write1MBTo2MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 1MB and up to 2MB | Advanced | Performance | N | - | N | | Write 2MB to 4MB request count | Write2MBTo4MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 2MB and up to 4MB | Advanced | Performance | N | - | N | | Write 4MB to 8MB request count | Write4MBTo8MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 4MB and up to 8MB | Advanced | Performance | N | - | N | | Write 8MB to 16MB request count | Write8MBTo16MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 8MB and up to 16MB | Advanced | Performance | N | - | N | | Write 16MB to 32MB request count | Write16MBTo32MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 16MB and up to 32MB | Advanced | Performance | N | - | N | | Write 32MB to 64MB request count | Write32MBTo64MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 32MB and up to 64MB | Advanced | Performance | N | - | N | | Write 64MB to 128MB request count | Write64MBTo128MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 64MB and up to 128MB | Advanced | Performance | N | - | N | | Write 128MB to 256MB request count | Write128MBTo256MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 128MB and up to 256MB | Advanced | Performance | N | - | N | | Write 256MB to 512MB request count | Write256MBTo512MBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 256MB and up to 512MB | Advanced | Performance | N | - | N | | Write 512MB to 1GB request count | Write512MBTo1GBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 512MB and up to 1GB | Advanced | Performance | N | - | N | | Write 1GB to 2GB request count | Write1GBTo2GBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 1GB and up to 2GB | Advanced | Performance | N | - | N | | Write 2GB to 4GB request count | Write2GBTo4GBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 2GB and up to 4GB | Advanced | Performance | N | - | N | | Write 4GB\$1 request count | WriteLargerThan4GBRequestCount\$1 | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 4GB | Advanced | Performance | N | - | N | | Object 0KB count | Object0KBCount | Number of objects with sizes equal to 0KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 0KB to 128KB count | Object0KBTo128KBCount | Number of objects with sizes greater than 0KB and less than equal to 128KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 128KB to 256KB count | Object128KBTo256KBCount | Number of objects with sizes greater than 128KB and less than equal to 256KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 256KB to 512KB count | Object256KBTo512KBCount | Number of objects with sizes greater than 256KB and less than equal to 512KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 512KB to 1MB count | Object512KBTo1MBCount | Number of objects with sizes greater than 512KB and less than equal to 1MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 1MB to 2MB count | Object1MBTo2MBCount | Number of objects with sizes greater than 1MB and less than equal to 2MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 2MB to 4MB count | Object2MBTo4MBCount | Number of objects with sizes greater than 2MB and less than equal to 4MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 4MB to 8MB count | Object4MBTo8MBCount | Number of objects with sizes greater than 4MB and less than equal to 8MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 8MB to 16MB count | Object8MBTo16MBCount | Number of objects with sizes greater than 8MB and less than equal to 16MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 16MB to 32MB count | Object16MBTo32MBCount | Number of objects with sizes greater than 16MB and less than equal to 32MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 32MB to 64MB count | Object32MBTo64MBCount | Number of objects with sizes greater than 32MB and less than equal to 64MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 64MB to 128MB count | Object64MBTo128MBCount | Number of objects with sizes greater than 64MB and less than equal to 128MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 128MB to 256MB count | Object128MBTo256MBCount | Number of objects with sizes greater than 128MB and less than equal to 256MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 256MB to 512MB count | Object256MBTo512MBCount | Number of objects with sizes greater than 256MB and less than equal to 512MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 512MB to 1GB count | Object512MBTo1GBCount | Number of objects with sizes greater than 512MB and less than equal to 1GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 1GB to 2GB count | Object1GBTo2GBCount | Number of objects with sizes greater than 1GB and less than equal to 2GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 2GB to 4GB count | Object2GBTo4GBCount | Number of objects with sizes greater than 2GB and less than equal to 4GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Object 4GB\$1 count | ObjectLargerThan4GBCount | Number of objects with sizes greater than 4GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | Advanced | Performance | N | - | N | | Concurrent Put 503 error count | ConcurrentPut503ErrorCount | Number of 503 errors that are generated due to concurrent writes to the same object | Advanced | Performance | N | - | N | | % Concurrent Put 503 errors | - | Percentage of 503 errors that are generated due to concurrent writes to the same object | Advanced | Performance | Y | 100 \$1 ConcurrentPut503Errors / AllRequests | N | | Cross-Region request count | CrossRegionRequestCount | Number of requests that originate from a client in different Region than bucket's home Region | Advanced | Performance | N | - | N | | % Cross-Region requests | - | Percentage of requests that originate from a client in different Region than bucket's home Region | Advanced | Performance | Y | 100 \$1 CrossRegionRequestCount / AllRequests | N | | Cross-Region transferred bytes | CrossRegionTransferredBytes | Number of bytes that are transferred from calls in different Region than bucket's home Region | Advanced | Performance | N | - | N | | % Cross-Region transferred bytes | - | Percentage of bytes transferred that originate from calls in different Region that bucket's home Region | Advanced | Performance | Y | 100 \$1 CrossRegionBytes / (BytesDownloaded \$1 BytesUploaded) | N | | Cross-Region without replication request count | CrossRegionWithoutReplicationRequestCount | Number of requests that originate from a client in different Region than bucket's home Region, excluding cross-region replication requests | Advanced | Performance | N | - | N | | % Cross-Region without replication requests | - | Percentage of requests that originate from a client in different Region that bucket's home Region, excluding cross-region replication requests | Advanced | Performance | Y | 100 \$1 CrossRegionRequestWithoutReplicationCount / AllRequests | N | | Cross-Region without replication transferred bytes | CrossRegionWithoutReplicationTransferredBytes | Number of bytes that are transferred from calls in different Region than bucket's home Region, excluding cross-region replication bytes | Advanced | Performance | N | - | N | | % Cross-Region without replication transferred bytes | - | Number of requests that originate from a Region other than the bucket's home Region, excluding cross-region replication requests | Advanced | Performance | Y | 100 \$1 CrossRegionBytesWithoutReplication / (BytesDownloaded \$1 BytesUploaded) | N | | In-Region request count | InRegionRequestCount | Number of requests that originate from a client in same Region as bucket's home Region | Advanced | Performance | N | - | N | | % In-Region requests | - | Percentage of requests that originate from a client in same Region as bucket's home Region | Advanced | Performance | Y | 100 \$1 InRegionRequestCount / AllRequests | N | | In-Region transferred bytes | InRegionTransferredBytes | Number of bytes that are transferred from calls from same Region as bucket's home Region | Advanced | Performance | N | - | N | | % In-Region transferred bytes | - | Percentage of bytes transferred that originate from calls from same Region as bucket's home Region | Advanced | Performance | Y | 100 \$1 InRegionBytes / (BytesDownloaded \$1 BytesUploaded) | N | | Unique objects accessed count daily | UniqueObjectsAccessedDailyCount | Number of objects that were accessed at least once in last 24 hrs | Advanced | Performance | N | - | N | | % Unique objects accessed count daily | - | Percentage of objects that were accessed at least once in last 24 hrs | Advanced | Performance | Y | 100 \$1 UniqueObjectsAccessedDailyCount / ObjectCount | N | # Setting Amazon S3 Storage Lens permissions Setting permissions Amazon S3 Storage Lens requires new permissions in AWS Identity and Access Management (IAM) to authorize access to S3 Storage Lens actions. To grant these permissions, you can use an identity-based IAM policy. You can attach this policy to IAM users, groups, or roles to grant them permissions. Such permissions can include the ability to enable or disable S3 Storage Lens, or to access any S3 Storage Lens dashboard or configuration. The IAM user or role must belong to the account that created or owns the dashboard or configuration, unless both of the following conditions are true: + Your account is a member of AWS Organizations. + You were given access to create organization-level dashboards by your management account as a delegated administrator. **Note** You can't use your account's root user credentials to view Amazon S3 Storage Lens dashboards. To access S3 Storage Lens dashboards, you must grant the required IAM permissions to a new or existing IAM user. Then, sign in with those user credentials to access S3 Storage Lens dashboards. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. Using S3 Storage Lens on the Amazon S3 console can require multiple permissions. For example, to edit a dashboard on the console, you need the following permissions: `s3:ListStorageLensConfigurations` `s3:GetStorageLensConfiguration` `s3:PutStorageLensConfiguration` **Topics** + [ ## Setting account permissions to use S3 Storage Lens ](#storage_lens_iam_permissions_account) + [ ## Setting account permissions to use S3 Storage Lens groups ](#storage_lens_groups_permissions) + [ ## Setting permissions to use S3 Storage Lens with AWS Organizations ](#storage_lens_iam_permissions_organizations) ## Setting account permissions to use S3 Storage Lens Setting account permissions To create and manage S3 Storage Lens dashboards and Storage Lens dashboard configurations, you must have the following permissions, depending on which actions you want to perform: The following table shows Amazon S3 Storage Lens related IAM permissions. | Action | IAM permissions | | --- | --- | | Create or update an S3 Storage Lens dashboard in the Amazon S3 console. | `s3:ListStorageLensConfigurations` `s3:GetStorageLensConfiguration` `s3:GetStorageLensConfigurationTagging` `s3:PutStorageLensConfiguration` `s3:PutStorageLensConfigurationTagging` | | Get the tags of an S3 Storage Lens dashboard on the Amazon S3 console. | `s3:ListStorageLensConfigurations` `s3:GetStorageLensConfigurationTagging` | | View an S3 Storage Lens dashboard on the Amazon S3 console. | `s3:ListStorageLensConfigurations` `s3:GetStorageLensConfiguration` `s3:GetStorageLensDashboard` | | Delete an S3 Storage Lens dashboard on Amazon S3 console. | `s3:ListStorageLensConfigurations` `s3:GetStorageLensConfiguration` `s3:DeleteStorageLensConfiguration` | | Create or update an S3 Storage Lens configuration by using the AWS CLI or an AWS SDK. | `s3:PutStorageLensConfiguration` `s3:PutStorageLensConfigurationTagging` | | Get the tags of an S3 Storage Lens configuration by using the AWS CLI or an AWS SDK. | `s3:GetStorageLensConfigurationTagging` | | View an S3 Storage Lens configuration by using the AWS CLI or an AWS SDK. | `s3:GetStorageLensConfiguration` | | Delete an S3 Storage Lens configuration by using the AWS CLI or AWS SDK. | `s3:DeleteStorageLensConfiguration` | **Note** You can use resource tags in an IAM policy to manage permissions. An IAM user or role with these permissions can see metrics from buckets and prefixes that they might not have direct permission to read or list objects from. For S3 Storage Lens dashboards with prefix-level metrics enabled, if a selected prefix path matches with an object key, the dashboard might display the object key as another prefix. For metrics exports, which are stored in a bucket in your account, permissions are granted by using the existing `s3:GetObject` permission in the IAM policy. Similarly, for an AWS Organizations entity, the organization's management account or delegated administrator accounts can use IAM policies to manage access permissions for organization-level dashboard and configurations. ## Setting account permissions to use S3 Storage Lens groups Setting Storage Lens groups permissions You can use S3 Storage Lens groups to understand the distribution of your storage within buckets based on prefix, suffix, object tag, object size, or object age. You can attach Storage Lens groups to your dashboards to view their aggregated metrics. To work with Storage Lens groups, you need certain permissions. For more information, see [Storage Lens groups permissions](storage-lens-groups.md#storage-lens-group-permissions). ## Setting permissions to use S3 Storage Lens with AWS Organizations Setting AWS Organizations permissions You can use Amazon S3 Storage Lens to collect storage metrics and usage data for all accounts that are part of your AWS Organizations hierarchy. The following table shows the actions and permissions related to using S3 Storage Lens with Organizations. | Action | IAM Permissions | | --- | --- | | Enable trusted access for S3 Storage Lens for your organization. | `organizations:EnableAWSServiceAccess` | | Disable trusted access for S3 Storage Lens for your organization. | `organizations:DisableAWSServiceAccess` | | Register a delegated administrator to create S3 Storage Lens dashboards or configurations for your organization. | `organizations:RegisterDelegatedAdministrator` | | Deregister a delegated administrator so that they can no longer create S3 Storage Lens dashboards or configurations for your organization. | `organizations:DeregisterDelegatedAdministrator` | | Additional permissions to create S3 Storage Lens organization-wide configurations. | `organizations:DescribeOrganization` `organizations:ListAccounts` `organizations:ListAWSServiceAccessForOrganization` `organizations:ListDelegatedAdministrators` `iam:CreateServiceLinkedRole` | # Working with Amazon S3 Storage Lens by using the console and API Working with S3 Storage Lens Amazon S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity. You can use S3 Storage Lens metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. You can also use S3 Storage Lens metrics to identify cost-optimization opportunities, implement data-protection and security best practices, and improve the performance of application workloads. For example, you can identify buckets that don't have S3 Lifecycle rules to expire incomplete multipart uploads that are more than 7 days old. You can also identify buckets that aren't following data-protection best practices, such as using S3 Replication or S3 Versioning. S3 Storage Lens also analyzes metrics to deliver contextual recommendations that you can use to optimize storage costs and apply best practices for protecting your data. S3 Storage Lens aggregates your metrics and displays the information in the **Account snapshot** section on the Amazon S3 console **Buckets** page. S3 Storage Lens also provides an interactive dashboard that you can use to visualize insights and trends, flag outliers, and receive recommendations for optimizing storage costs and applying data protection best practices. Your dashboard has drill-down options to generate and visualize insights at the organization, account, AWS Region, storage class, bucket, prefix, or Storage Lens group level. You can also send a daily metrics report in CSV or Parquet format to a general purpose S3 bucket or export the metrics directly to an AWS-managed S3 table bucket. **Note** Storage Lens only aggregates metrics for [S3 general purpose buckets](UsingBucket.md). The following sections contain examples of creating, updating, and viewing S3 Storage Lens configurations and performing operations related to the feature. If you are using S3 Storage Lens with AWS Organizations, these examples also cover those use cases. In the examples, replace any placeholder values. **Topics** + [ # Create an Amazon S3 Storage Lens dashboard ](storage_lens_creating_dashboard.md) + [ # Update an Amazon S3 Storage Lens dashboard ](storage_lens_editing.md) + [ # Disable an Amazon S3 Storage Lens dashboard ](storage_lens_disabling.md) + [ # Delete an Amazon S3 Storage Lens dashboard ](storage_lens_deleting.md) + [ # List Amazon S3 Storage Lens dashboards ](storage_lens_list_dashboard.md) + [ # View an Amazon S3 Storage Lens dashboard configuration details ](storage_lens_viewing.md) + [ # Managing AWS resource tags with S3 Storage Lens ](storage-lens-groups-manage-tags-dashboard.md) + [ # Helper files for using Amazon S3 Storage Lens ](S3LensHelperFilesCLI.md) # Create an Amazon S3 Storage Lens dashboard Create a dashboard You can create additional S3 Storage Lens custom dashboards that can be scoped to your organization in AWS Organizations or to specific AWS Regions or buckets within an account. **Note** Any updates to your dashboard configuration can take up to 48 hours to accurately display or visualize. ## Using the S3 console Use the following steps to create an Amazon S3 Storage Lens dashboard on the Amazon S3 console. **Step 1: Configure general settings** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to switch to. 1. In the left navigation pane, under **S3 Storage Lens**, choose **Dashboards**. 1. Choose **Create dashboard**. 1. On the **Dashboard** page, in the **General** section, do the following: 1. View the **Home Region** for your dashboard. The home Region is the AWS Region where the configuration and metrics for this Storage Lens dashboard are stored. 1. Enter a dashboard name. Dashboard names must be fewer than 65 characters and must not contain special characters or spaces. **Note** You can't change this dashboard name after the dashboard is created. 1. Choose **Enabled** to display updated daily metrics in your dashboard. 1. (Optional) You can choose to add **Tags** to your dashboard. You can use tags to manage permissions for your dashboard and track costs for S3 Storage Lens. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide* and [Using AWS-generated tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/aws-tags.html) in the *AWS Billing User Guide*. **Note** You can add up to 50 tags to your dashboard configuration. 1. Choose **Next** to save your changes and proceed. **Step 2: Define the dashboard scope** 1. In the **Dashboard scope** section, choose the Regions and buckets that you want S3 Storage Lens to include or exclude in the dashboard. 1. Choose the buckets in your selected Regions that you want S3 Storage Lens to include or exclude. You can either include or exclude buckets, but not both. This option isn't available when you create organization-level dashboards. **Note** You can either include or exclude Regions and buckets. This option is limited to Regions only when creating organization-level dashboards across member accounts in your organization. You can choose up to 50 buckets to include or exclude. 1. Choose **Next** to save your changes and proceed. **Step 3: Choose your Storage Lens tier** 1. In the **Storage Lens tier** section, choose the tier of features that you want to aggregate for this dashboard. 1. To include free metrics aggregated at the bucket level and available for queries for 14 days, choose **Free tier**. 1. To enable advanced metrics, choose **Advanced tier**. These options include prefix or Storage Lens groups aggregation, Amazon CloudWatch publishing, the expanded prefixes report, and contextual recommendations. Data is available for queries for 15 months. Advanced metrics and recommendations have an additional cost. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). For more information about advanced metrics and free metrics, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. Under **Advanced metric categories**, select the category of metrics that you want to enable: + **Activity metrics** + **Detailed status code metrics** + **Cost optimization metrics** + **Data protection metrics** + **Performance metrics** To preview which metrics are included in each category, use the drop-down arrow button below the metrics category checkbox list. For more information about metrics categories, see [Metrics categories](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_types). For a complete list of metrics, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). 1. Choose or specify a **Prefix delimiter** to distinguish levels within each prefix. This value is used to identify each prefix level. The default value in Amazon S3 is the "`/`" character, but your storage structure might use other delimiter characters. 1. Choose **Next** to save your changes and proceed. **Step 4: (Optional) Choose your metrics aggregation** 1. Under **Additional metrics aggregation**, choose which metrics you want to aggregate: + Prefix aggregation + Storage Lens group aggregation 1. If you've enabled **Prefix aggregation**, specify the minimum **Prefix threshold** for your dashboard and **Prefix depth**. Then, choose **Next** to save and proceed. **Note** The **Prefix depth** setting determines how many hierarchical levels deep S3 Storage Lens will analyze your object prefixes, with a maximum limit of 10 levels. The **Prefix threshold** specifies the minimum percentage of total storage that a prefix must represent before it's included in Storage Lens metrics. 1. If you've enabled **Storage Lens group aggregation**, choose one of the following: + **Include Storage Lens groups** + **Exclude Storage Lens groups** 1. When you include Storage Lens groups in your aggregation, you can either **Include all Storage Lens groups in your home Region** or specify Storage Lens groups to include. 1. Choose **Next** to save your changes and proceed. **Step 5: (Optional) Choose your metrics export and publishing settings** 1. Under **Metrics publishing**, choose **CloudWatch publishing** if you want to access your Storage Lens metrics in your CloudWatch dashboard. **Note** Prefix-level metrics aren't available in CloudWatch. 1. Under **Metrics export**, choose which Storage Lens dashboard data you want exported daily: + **Default metrics report** + **Expanded prefixes metrics report** 1. (Optional) If you chose **Default metrics report**, in the **Default metrics report** settings, choose the bucket type. You can export the report to either a general purpose Amazon S3 bucket or AWS-managed S3 table bucket. Based on the selected bucket type, update the **General purpose bucket destination settings** or **Table bucket destination settings** options. **Note** The **default metrics report** only includes prefixes within the set threshold and depth set in prefix aggregation settings. If you choose to specify an encryption key, you must choose an AWS KMS key (SSE-KMS) or Amazon S3 managed key (SSE-S3). If your destination bucket policy requires encryption, you must provide an encryption key for your metrics export. Without the encryption key, the export to S3 fails. For more information, see [Using an AWS KMS key to encrypt your metrics exports](storage_lens_encrypt_permissions.md). 1. (Optional) If you chose **Expanded prefixes metrics report**, in the **Expanded prefixes metrics report** settings, choose the bucket type. You can export the report to either a general purpose Amazon S3 bucket or a read-only S3 table bucket. Based on the selected bucket type, update the **General purpose bucket destination settings** or **Table bucket destination settings**. **Note** The **Expanded prefixes metrics report** includes all prefixes up to prefix depth 50 in all selected buckets that are specified in your dashboard scope. If you choose to specify an encryption key, you must choose an AWS KMS key (SSE-KMS) or Amazon S3 managed key (SSE-S3). If your destination bucket policy requires encryption, you must provide an encryption key for your metrics export. Without the encryption key, the export to S3 fails. For more information, see [Using an AWS KMS key to encrypt your metrics exports](storage_lens_encrypt_permissions.md). 1. Choose **Next** to save your changes and proceed. 1. Review everything on the **Review and Create** page. If there are no additional changes, choose **Next** to save your changes and to create your dashboard. **Step 6: Review your dashboard configuration and create your dashboard** 1. In the **General** section, review your settings. Choose **Edit** to make any changes. 1. In the **Dashboard scope** section, review your settings. Choose **Edit** to make any changes. 1. In the **Storage Lens tier** section, review your settings. Choose **Edit** to make any changes. 1. In the **Metrics aggregation** section, review your settings. Choose **Edit** to make any changes. 1. In the **Metrics export** section, review your settings. Choose **Edit** to make any changes. 1. After reviewing and confirming all your dashboard configuration settings, choose **Submit** to create your dashboard. After you've successfully created your new Storage Lens dashboard, you can view your new dashboard listed under your Storage Lens **Dashboard** page. ## Using the AWS CLI **Example** The following example command creates a Amazon S3 Storage Lens configuration with tags. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control put-storage-lens-configuration --account-id=111122223333 --config-id=example-dashboard-configuration-id --region=us-east-1 --storage-lens-configuration=file://./config.json --tags=file://./tags.json ``` **Example** The following example command creates a Amazon S3 Storage Lens configuration without tags. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control put-storage-lens-configuration --account-id=222222222222 --config-id=your-configuration-id --region=us-east-1 --storage-lens-configuration=file://./config.json ``` ## Using the AWS SDK for Java **Example – Create and update an Amazon S3 Storage Lens configuration** The following example creates and updates an Amazon S3 Storage Lens configuration in SDK for Java: ``` package aws.example.s3control; import software.amazon.awssdk.awscore.exception.AwsServiceException; import software.amazon.awssdk.core.exception.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.AccountLevel; import software.amazon.awssdk.services.s3control.model.ActivityMetrics; import software.amazon.awssdk.services.s3control.model.AdvancedCostOptimizationMetrics; import software.amazon.awssdk.services.s3control.model.AdvancedDataProtectionMetrics; import software.amazon.awssdk.services.s3control.model.AdvancedPerformanceMetrics; import software.amazon.awssdk.services.s3control.model.BucketLevel; import software.amazon.awssdk.services.s3control.model.CloudWatchMetrics; import software.amazon.awssdk.services.s3control.model.DetailedStatusCodesMetrics; import software.amazon.awssdk.services.s3control.model.Format; import software.amazon.awssdk.services.s3control.model.Include; import software.amazon.awssdk.services.s3control.model.OutputSchemaVersion; import software.amazon.awssdk.services.s3control.model.PrefixLevel; import software.amazon.awssdk.services.s3control.model.PrefixLevelStorageMetrics; import software.amazon.awssdk.services.s3control.model.PutStorageLensConfigurationRequest; import software.amazon.awssdk.services.s3control.model.S3BucketDestination; import software.amazon.awssdk.services.s3control.model.SSES3; import software.amazon.awssdk.services.s3control.model.SelectionCriteria; import software.amazon.awssdk.services.s3control.model.StorageLensAwsOrg; import software.amazon.awssdk.services.s3control.model.StorageLensConfiguration; import software.amazon.awssdk.services.s3control.model.StorageLensDataExport; import software.amazon.awssdk.services.s3control.model.StorageLensDataExportEncryption; import software.amazon.awssdk.services.s3control.model.StorageLensExpandedPrefixesDataExport; import software.amazon.awssdk.services.s3control.model.StorageLensTableDestination; import software.amazon.awssdk.services.s3control.model.StorageLensTag; import java.util.Arrays; import java.util.List; public class CreateAndUpdateDashboard { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "111122223333"; String exportAccountId = "Destination Account ID"; String exportBucketArn = "arn:aws:s3:::destBucketName"; // The destination bucket for your metrics export must be in the same Region as your S3 Storage Lens configuration. String awsOrgARN = "arn:aws:organizations::123456789012:organization/o-abcdefgh"; Format exportFormat = Format.CSV; try { SelectionCriteria selectionCriteria = SelectionCriteria.builder() .delimiter("/") .maxDepth(5) .minStorageBytesPercentage(10.0) .build(); PrefixLevelStorageMetrics prefixStorageMetrics = PrefixLevelStorageMetrics.builder() .isEnabled(true) .selectionCriteria(selectionCriteria) .build(); BucketLevel bucketLevel = BucketLevel.builder() .activityMetrics(ActivityMetrics.builder().isEnabled(true).build()) .advancedCostOptimizationMetrics(AdvancedCostOptimizationMetrics.builder().isEnabled(true).build()) .advancedDataProtectionMetrics(AdvancedDataProtectionMetrics.builder().isEnabled(true).build()) .advancedPerformanceMetrics(AdvancedPerformanceMetrics.builder().isEnabled(true).build()) .detailedStatusCodesMetrics(DetailedStatusCodesMetrics.builder().isEnabled(true).build()) .prefixLevel(PrefixLevel.builder().storageMetrics(prefixStorageMetrics).build()) .build(); AccountLevel accountLevel = AccountLevel.builder() .activityMetrics(ActivityMetrics.builder().isEnabled(true).build()) .advancedCostOptimizationMetrics(AdvancedCostOptimizationMetrics.builder().isEnabled(true).build()) .advancedPerformanceMetrics(AdvancedPerformanceMetrics.builder().isEnabled(true).build()) .advancedDataProtectionMetrics(AdvancedDataProtectionMetrics.builder().isEnabled(true).build()) .detailedStatusCodesMetrics(DetailedStatusCodesMetrics.builder().isEnabled(true).build()) .bucketLevel(bucketLevel) .build(); Include include = Include.builder() .buckets(Arrays.asList("arn:aws:s3:::bucketName")) .regions(Arrays.asList("us-west-2")) .build(); StorageLensDataExportEncryption exportEncryption = StorageLensDataExportEncryption.builder() .sses3(SSES3.builder().build()) .build(); S3BucketDestination s3BucketDestination = S3BucketDestination.builder() .accountId(exportAccountId) .arn(exportBucketArn) .encryption(exportEncryption) .format(exportFormat) .outputSchemaVersion(OutputSchemaVersion.V_1) .prefix("Prefix") .build(); StorageLensTableDestination s3TablesDestination = StorageLensTableDestination.builder() .encryption(exportEncryption) .isEnabled(true) .build(); CloudWatchMetrics cloudWatchMetrics = CloudWatchMetrics.builder() .isEnabled(true) .build(); StorageLensDataExport dataExport = StorageLensDataExport.builder() .cloudWatchMetrics(cloudWatchMetrics) .s3BucketDestination(s3BucketDestination) .storageLensTableDestination(s3TablesDestination) .build(); StorageLensAwsOrg awsOrg = StorageLensAwsOrg.builder() .arn(awsOrgARN) .build(); StorageLensExpandedPrefixesDataExport expandedPrefixesDataExport = StorageLensExpandedPrefixesDataExport.builder() .s3BucketDestination(s3BucketDestination) .storageLensTableDestination(s3TablesDestination) .build(); StorageLensConfiguration configuration = StorageLensConfiguration.builder() .id(configurationId) .accountLevel(accountLevel) .include(include) .dataExport(dataExport) .awsOrg(awsOrg) .expandedPrefixesDataExport(expandedPrefixesDataExport) .prefixDelimiter("/") .isEnabled(true) .build(); List tags = Arrays.asList( StorageLensTag.builder().key("key-1").value("value-1").build(), StorageLensTag.builder().key("key-2").value("value-2").build() ); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.putStorageLensConfiguration(PutStorageLensConfigurationRequest.builder() .accountId(sourceAccountId) .configId(configurationId) .storageLensConfiguration(configuration) .tags(tags) .build() ); } catch (AwsServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` For access to S3 Storage Lens groups or expanded prefixes, you must upgrade your dashboard to use the advanced tier. Additional charges apply. For more information about the free and advanced tiers, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). For more information about S3 Storage Lens groups, see [Working with S3 Storage Lens groups to filter and aggregate metrics](storage-lens-groups-overview.md). # Update an Amazon S3 Storage Lens dashboard Update a dashboard The Amazon S3 Storage Lens default dashboard is `default-account-dashboard`. This dashboard is preconfigured by Amazon S3 to help you visualize summarized insights and trends for your entire account's aggregated free and advanced metrics on the console. You can't modify the default dashboard's configuration scope, but you can upgrade the metrics selection from the free metrics to the paid advanced metrics and recommendations, configure the optional metrics export, or even disable the default dashboard. The default dashboard can't be deleted, and can only be disabled. For more information, see [Using the S3 console](storage_lens_console_deleting.md). ## Using the S3 console Use the following steps to update an Amazon S3 Storage Lens dashboard on the Amazon S3 console. **Step 1: Update your dashboard and configure your general settings** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens, Dashboards**. 1. Choose the dashboard that you want to edit. 1. Choose **View dashboard configuration**. 1. Choose **Edit**. You can now review the dashboard configuration, step by step. To make changes to any of the steps, you can click directly on the step using the left navigation. For instructions on how to update those steps, **Note** You can't change the following: The dashboard name The home Region 1. On the **Dashboard** page, in the **General** section, you can make changes to the following: + Choose **Enabled** or **Disabled** to update whether you're receiving daily metrics in your dashboard. + (Optional) You can choose to add **Tags** to your dashboard. You can use tags to manage permissions for your dashboard and track costs for S3 Storage Lens. For more information, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide* and [Using AWS-generated tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/aws-tags.html) in the *AWS Billing User Guide*. **Note** You can add up to 50 tags to your dashboard configuration. 1. Choose **Next** to save your changes and proceed. **Step 2: Update the dashboard scope** 1. In the **Dashboard scope** section, update the Regions and buckets that you want S3 Storage Lens to include or exclude in the dashboard. **Note** You can either include or exclude Regions and buckets. This option is limited to Regions only when creating organization-level dashboards across member accounts in your organization. You can choose up to 50 buckets to include or exclude. 1. Choose the buckets in your selected Regions that you want S3 Storage Lens to include or exclude. You can either include or exclude buckets, but not both. This option isn't available when you create organization-level dashboards. **Note** You can either include or exclude Regions and buckets. This option is limited to Regions only when creating organization-level dashboards across member accounts in your organization. You can choose up to 50 buckets to include or exclude. 1. Choose **Next** to save your changes and proceed. **Step 3: Update your Storage Lens tier Configure the metrics selection** 1. In the **Storage Lens tier** **Metrics selection** section, update the tier of metrics that you want to aggregate for this dashboard. **Note** If you're updating from the **Free tier** to the **Advanced tier**, you'll need to update your **Metrics aggregation** settings. To update your **Metrics aggregation settings**, see **Step 4: Update your metrics aggregation**. If you're updating your Storage Lens tier from the **Advanced tier** to the **Free tier**, you won't need to update any **Metrics aggregation** settings. The **Metrics aggregation** feature only applies to **Advanced tier** metric categories. 1. To include free metrics aggregated at the bucket level and available for queries for 14 days, choose **Free tier**. 1. To enable advanced metrics, choose **Advanced tier**. These options include prefix aggregation, Amazon CloudWatch publishing, and contextual recommendations. Data is available for queries for 15 months. Advanced metrics and recommendations have an additional cost. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). For more information about advanced metrics and free metrics, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. Under **Advanced metric categories**, choose the category of metrics that you want to enable: + **Activity metrics** + **Detailed status code metrics** + **Cost optimization metrics** + **Data protection metrics** + **Performance metrics** To preview which metrics are included in each category, use the drop-down arrow button below the metrics category checkbox list. For more information about metrics categories, see [Metrics categories](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_types). For a complete list of metrics, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). 1. Choose or specify a **Prefix delimiter** to distinguish levels within each prefix. This value is used to identify each prefix level. The default value in Amazon S3 is the "`/`" character, but your storage structure might use other delimiter characters. 1. Choose **Next** to save your changes and proceed. **Step 4: (Optional) Update your metrics aggregation** 1. Under **Additional metrics aggregation**, update which metrics you want to aggregate by choosing one of the following: + Prefix aggregation + Storage Lens group aggregation 1. If you've enabled **Prefix aggregation**, specify the minimum **Prefix threshold** for your dashboard and **Prefix depth**. Then, choose **Next** to save and proceed. 1. If you've enabled **Storage Lens group aggregation**, choose one of the following: + **Include Storage Lens groups** + **Exclude Storage Lens groups** 1. When you include Storage Lens groups in your aggregation, you can either **Include all Storage Lens groups in your home Region** or specify Storage Lens groups to include. 1. Choose **Next** to save your changes and proceed. **Step 5: (Optional) Update your metrics export and publishing settings** 1. Under **Metrics publishing**, choose **CloudWatch publishing** if you want to access your Storage Lens metrics in your CloudWatch dashboard. **Note** Prefix-level metrics aren't available in CloudWatch. 1. Under **Metrics export**, choose which Storage Lens dashboard data you want exported daily: + **Default metrics report** + **Expanded prefixes metrics report** 1. (Optional) If you chose **Default metrics report**, in the **Default metrics report** settings, choose the bucket type. You can export the report to either a general purpose S3 bucket or a read-only S3 table bucket. Based on the selected bucket type, update the **General purpose bucket destination settings** or **Table bucket destination settings** options. **Note** The **default metrics report** only includes prefixes within the set threshold and depth set in prefix aggregation settings. If your prefix aggregation isn't already configured, the threshold includes up to the 100 largest prefixes by size. If you choose to specify an encryption key, you must choose an AWS KMS key (SSE-KMS) or Amazon S3 managed key (SSE-S3). If your destination bucket policy requires encryption, you must provide an encryption key for your metrics export. Without the encryption key, the export to S3 fails. For more information, see [Using an AWS KMS key to encrypt your metrics exports](storage_lens_encrypt_permissions.md). 1. Choose **Next** to save your changes and proceed. 1. (Optional) If you chose **Expanded prefixes metrics report**, in the **Expanded prefixes metrics report** settings, choose the bucket type. You can export the report to either a general purpose S3 bucket or a read-only S3 table bucket. Based on the selected bucket type, update the **General purpose bucket destination settings** or **Table bucket destination settings**. **Note** The **Expanded prefixes metrics report** includes prefixes in all buckets that are specified in your dashboard scope. If you choose to specify an encryption key, you must choose an AWS KMS key (SSE-KMS) or Amazon S3 managed key (SSE-S3). If your destination bucket policy requires encryption, you must provide an encryption key for your metrics export. Without the encryption key, the export to S3 fails. For more information, see [Using an AWS KMS key to encrypt your metrics exports](storage_lens_encrypt_permissions.md). 1. Choose **Next** to save your changes and proceed. **Step 6: Review and update your dashboard configuration** 1. In the **General** section, review your settings. Choose **Edit** to make any changes. 1. In the **Dashboard scope** section, review your settings. Choose **Edit** to make any changes. 1. In the **Storage Lens tier** section, review your settings. Choose **Edit** to make any changes. 1. In the **Metrics aggregation** section, review your settings. Choose **Edit** to make any changes. 1. In the **Metrics export** section, review your settings. Choose **Edit** to make any changes. 1. After reviewing and confirming all your dashboard configuration settings, choose **Submit** to update your dashboard. After you've successfully updated your new Storage Lens dashboard, you can view your updated dashboard configuration listed under your Storage Lens **Dashboard** page. ## Using the AWS CLI **Example** The following example command updates a Amazon S3 Storage Lens dashboard configuration. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control put-storage-lens-configuration --account-id=111122223333 --config-id=example-dashboard-configuration-id --region=us-east-1 --storage-lens-configuration=file://./config.json --tags=file://./tags.json ``` ## Using the AWS SDK for Java **Example – Update a Amazon S3 Storage Lens configuration with advanced metrics and recommendations** The following examples shows you how to update the default S3 Storage Lens configuration with advanced metrics and recommendations in SDK for Java: ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.AccountLevel; import com.amazonaws.services.s3control.model.ActivityMetrics; import com.amazonaws.services.s3control.model.BucketLevel; import com.amazonaws.services.s3control.model.Format; import com.amazonaws.services.s3control.model.Include; import com.amazonaws.services.s3control.model.OutputSchemaVersion; import com.amazonaws.services.s3control.model.PrefixLevel; import com.amazonaws.services.s3control.model.PrefixLevelStorageMetrics; import com.amazonaws.services.s3control.model.PutStorageLensConfigurationRequest; import com.amazonaws.services.s3control.model.S3BucketDestination; import com.amazonaws.services.s3control.model.SSES3; import com.amazonaws.services.s3control.model.SelectionCriteria; import com.amazonaws.services.s3control.model.StorageLensAwsOrg; import com.amazonaws.services.s3control.model.StorageLensConfiguration; import com.amazonaws.services.s3control.model.StorageLensDataExport; import com.amazonaws.services.s3control.model.StorageLensDataExportEncryption; import com.amazonaws.services.s3control.model.StorageLensTag; import java.util.Arrays; import java.util.List; import static com.amazonaws.regions.Regions.US_WEST_2; public class UpdateDefaultConfigWithPaidFeatures { public static void main(String[] args) { String configurationId = "default-account-dashboard"; // This configuration ID cannot be modified. String sourceAccountId = "111122223333"; try { SelectionCriteria selectionCriteria = new SelectionCriteria() .withDelimiter("/") .withMaxDepth(5) .withMinStorageBytesPercentage(10.0); PrefixLevelStorageMetrics prefixStorageMetrics = new PrefixLevelStorageMetrics() .withIsEnabled(true) .withSelectionCriteria(selectionCriteria); BucketLevel bucketLevel = new BucketLevel() .withActivityMetrics(new ActivityMetrics().withIsEnabled(true)) .withPrefixLevel(new PrefixLevel().withStorageMetrics(prefixStorageMetrics)); AccountLevel accountLevel = new AccountLevel() .withActivityMetrics(new ActivityMetrics().withIsEnabled(true)) .withBucketLevel(bucketLevel); StorageLensConfiguration configuration = new StorageLensConfiguration() .withId(configurationId) .withAccountLevel(accountLevel) .withIsEnabled(true); AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.putStorageLensConfiguration(new PutStorageLensConfigurationRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) .withStorageLensConfiguration(configuration) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` For access to S3 Storage Lens groups or expanded prefixes, you must upgrade your dashboard to use the advanced tier. Additional charges apply. For more information about the free and advanced tiers, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). For more information about S3 Storage Lens groups, see [Working with S3 Storage Lens groups to filter and aggregate metrics](storage-lens-groups-overview.md). # Disable an Amazon S3 Storage Lens dashboard Disable a dashboard You can disable an Amazon S3 Storage Lens dashboard from the Amazon S3 console. Disabling a dashboard prevents it from generating metrics in the future. A disabled dashboard still retains its configuration information, so that it can be easily resumed when re-enabled. A disabled dashboard retains its historical data until it's no longer available for queries. # Using the S3 console Use the following steps to disable an Amazon S3 Storage Lens dashboard on the Amazon S3 console. **To disable an Amazon S3 Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to disable, and then choose **Disable** at the top of the list. 1. On the confirmation page, confirm that you want to disable the dashboard by entering the name of dashboard in the text field, and then choose **Confirm**. # Delete an Amazon S3 Storage Lens dashboard Delete a dashboard You can't delete the default dashboard. However, you can disable it. Before deleting a dashboard that you've created, consider the following: + As an alternative to deleting a dashboard, you can *disable* the dashboard so that it is available to be re-enabled in the future. For more information, see [Using the S3 console](storage_lens_console_disabling.md). + Deleting the dashboard deletes all the configuration settings that are associated with it. + Deleting a dashboard makes all the historic metrics data unavailable. This historical data is still retained for 15 months. If you want to access this data again, create a dashboard with the same name in the same home Region as the one that was deleted. # Using the S3 console Deleting a dashboard You can delete an Amazon S3 Storage Lens dashboard from the Amazon S3 console. However, deleting a dashboard prevents it from generating metrics in the future. **Deleting an Amazon S3 Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to delete, and then choose **Delete** at the top of the list. 1. On the **Delete dashboards** page, confirm that you want to delete the dashboard by entering the name of dashboard in the text field. Then choose **Confirm**. # Using the AWS CLI **Example** The following example deletes a S3 Storage Lens configuration. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control delete-storage-lens-configuration --account-id=222222222222 --region=us-east-1 --config-id=your-configuration-id ``` ## Using the AWS SDK for Java **Example – Delete an Amazon S3 Storage Lens dashboard configuration** The following example shows you how to delete an S3 Storage Lens configuration using SDK for Java: ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.DeleteStorageLensConfigurationRequest; import static com.amazonaws.regions.Regions.US_WEST_2; public class DeleteDashboard { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "111122223333"; try { AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.deleteStorageLensConfiguration(new DeleteStorageLensConfigurationRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # List Amazon S3 Storage Lens dashboards List dashboards # Using the S3 console **To list S3 Storage Lens dashboards** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, navigate to **Storage Lens**. 1. Choose **Dashboards**. You can now view the dashboards in your AWS account. ## Using the AWS CLI **Example** The following example command lists the S3 Storage Lens dashboards in your AWS account. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control list-storage-lens-configurations --account-id=222222222222 --region=us-east-1 --next-token=abcdefghij1234 ``` **Example** The following example lists S3 Storage Lens configurations without a next token. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control list-storage-lens-configurations --account-id=222222222222 --region=us-east-1 ``` ## Using the AWS SDK for Java **Example – List S3 Storage Lens dashboard configurations** The following examples shows you how to list S3 Storage Lens configurations in SDK for Java. To use this example, replace the `user input placeholders` with your own information." to each example description. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.ListStorageLensConfigurationEntry; import com.amazonaws.services.s3control.model.ListStorageLensConfigurationsRequest; import java.util.List; import static com.amazonaws.regions.Regions.US_WEST_2; public class ListDashboard { public static void main(String[] args) { String sourceAccountId = "111122223333"; String nextToken = "nextToken"; try { AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); final List configurations = s3ControlClient.listStorageLensConfigurations(new ListStorageLensConfigurationsRequest() .withAccountId(sourceAccountId) .withNextToken(nextToken) ).getStorageLensConfigurationList(); System.out.println(configurations.toString()); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # View an Amazon S3 Storage Lens dashboard configuration details View dashboard details You can view a Amazon S3 Storage Lens dashboard from the Amazon S3 console, AWS CLI, and SDK for Java. # Using the S3 console **To view S3 Storage Lens dashboard configuration details** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. On the left navigation pane, navigate to **Storage Lens**. 1. Choose **Dashboards**. 1. From the **Dashboards** list, click on the dashboard that you want to view. You can now view the details of your Storage Lens dashboard. ## Using the AWS CLI **Example** The following example retrieves an S3 Storage Lens configuration so that you can view the configuration details. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control get-storage-lens-configuration --account-id=222222222222 --config-id=your-configuration-id --region=us-east-1 ``` ## Using the AWS SDK for Java **Example – Retrieve and view an S3 Storage Lens configuration** The following example shows you how to retrieve an S3 Storage Lens configuration in SDK for Java so that you can view the configuration details. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.GetStorageLensConfigurationRequest; import com.amazonaws.services.s3control.model.GetStorageLensConfigurationResult; import com.amazonaws.services.s3control.model.StorageLensConfiguration; import static com.amazonaws.regions.Regions.US_WEST_2; public class GetDashboard { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "111122223333"; try { AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); final StorageLensConfiguration configuration = s3ControlClient.getStorageLensConfiguration(new GetStorageLensConfigurationRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) ).getStorageLensConfiguration(); System.out.println(configuration.toString()); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Managing AWS resource tags with S3 Storage Lens Manage AWS resource tags with Storage Lens Each Amazon S3 Storage Lens dashboard is counted as an AWS resource with its own Amazon Resource Name (ARN). Therefore, when you configure your Storage Lens dashboard, you can optionally add AWS resource tags to the dashboard. You can add up to 50 tags for each Storage Lens dashboard. To create a Storage Lens dashboard with tags, you must have the following [S3 Storage Lens permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_iam_permissions.html): + `s3:ListStorageLensConfigurations` + `s3:GetStorageLensConfiguration` + `s3:GetStorageLensConfigurationTagging` + `s3:PutStorageLensConfiguration` + ` s3:PutStorageLensConfigurationTagging` You can use AWS resource tags to categorize resources according to department, line of business, or project. This is useful when you have many resources of the same type. By applying tags, you can quickly identify a specific S3 Storage Lens dashboard based on the tags that you've assigned to it. You can also use tags to track and allocate costs. In addition, when you add an AWS resource tag to your Storage Lens dashboard, you activate [attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html). ABAC is an authorization strategy that defines permissions based on attributes such as tags. You can also use conditions that specify resource tags in your IAM policies to [control access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources). You can edit tag keys and values, and you can remove tags from a resource at any time. Also, be aware of the following limitations: + Tag keys and tag values are case sensitive. + If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. + If you delete a resource, any tags for the resource are also deleted. + Don't include private or sensitive data in your AWS resource tags. + System tags (with tag keys that begin with `aws:`) aren't supported. + The length of each tag key can't exceed 128 characters. The length of each tag value can't exceed 256 characters. The following examples demonstrate how to use AWS resource tags with Storage Lens dashboard. **Topics** + [ # Add AWS resource tags to a Storage Lens dashboard ](storage-lens-add-tags.md) + [ # Retrieve AWS resource tags for a Storage Lens dashboard ](storage-lens-get-tags.md) + [ # Updating Storage Lens dashboard tags ](storage-lens-update-tags.md) + [ # Deleting AWS resource tags from a S3 Storage Lens dashboard ](storage-lens-dashboard-delete-tags.md) # Add AWS resource tags to a Storage Lens dashboard Add AWS resource tags to a dashboard The following examples demonstrate how to add AWS resource tags to an S3 Storage Lens dashboard. You can add resource tags by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To add AWS resource tags to a Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, navigate to **Storage Lens** on the left navigation panel. 1. Choose **Dashboards**. 1. Choose the radio button for the Storage Lens dashboard that you want to update. Then, choose **Edit**. 1. Under **General**, choose **Add tag**. 1. On the **Add tag** page, add the new key-value pair. **Note** Adding a new tag with the same key as an existing tag overwrites the previous tag value. 1. (Optional) To add more than one new tag, choose **Add tag** again to continue adding new entries. You can add up to 50 AWS resource tags to your Storage Lens dashboard. 1. (Optional) If you want to remove a newly added entry, choose **Remove** next to the tag that you want to remove. 1. Choose **Save changes**. ## Using the AWS CLI **Example** The following example command adds tags to a S3 Storage Lens dashboard configuration. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control put-storage-lens-configuration-tagging --account-id=222222222222 --region=us-east-1 --config-id=your-configuration-id --tags=file://./tags.json ``` ## Using the AWS SDK for Java The following example adds tags to an Amazon S3 Storage Lens configuration in SDK for Java. To use this example, replace the `user input placeholders` with your own information. **Example – Add tags to an S3 Storage Lens configuration** ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.PutStorageLensConfigurationTaggingRequest; import com.amazonaws.services.s3control.model.StorageLensTag; import java.util.Arrays; import java.util.List; import static com.amazonaws.regions.Regions.US_WEST_2; public class PutDashboardTagging { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "111122223333"; try { List tags = Arrays.asList( new StorageLensTag().withKey("key-1").withValue("value-1"), new StorageLensTag().withKey("key-2").withValue("value-2") ); AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.putStorageLensConfigurationTagging(new PutStorageLensConfigurationTaggingRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) .withTags(tags) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Retrieve AWS resource tags for a Storage Lens dashboard Retrieve AWS resource tags for a dashboard The following examples demonstrate how to retrieve AWS resource tags for a S3 Storage Lens dashboard. You can get resource tags by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. # Using the S3 console **To retrieve the AWS resource tags for a Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, navigate to **Storage Lens**. 1. Choose **Dashboards**. 1. Choose the radio button for the Storage Lens dashboard configuration that you want to view. Then, choose **View dashboard configuration**. 1. Under **Tags**, review the tags associated with the dashboard. 1. (Optional) If you want to add a new tag, choose **Edit**. Then, choose **Add tag**. On the **Add tag** page, add the new key-value pair. **Note** Adding a new tag with the same key as an existing tag overwrites the previous tag value. 1. (Optional) If you want to remove a newly added entry, choose **Remove** next to the tag that you want to remove. 1. Choose **Save changes**. ## Using the AWS CLI **Example** The following example command retrieves tags for a S3 Storage Lens dashboard configuration. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control get-storage-lens-configuration-tagging --account-id=222222222222 --region=us-east-1 --config-id=your-configuration-id --tags=file://./tags.json ``` ## Using the AWS SDK for Java **Example – Get tags for an S3 Storage Lens dashboard configuration** The following example shows you how to retrieve tags for an S3 Storage Lens dashboard configuration in SDK for Java. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.DeleteStorageLensConfigurationRequest; import com.amazonaws.services.s3control.model.GetStorageLensConfigurationTaggingRequest; import com.amazonaws.services.s3control.model.StorageLensTag; import java.util.List; import static com.amazonaws.regions.Regions.US_WEST_2; public class GetDashboardTagging { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "111122223333"; try { AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); final List s3Tags = s3ControlClient .getStorageLensConfigurationTagging(new GetStorageLensConfigurationTaggingRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) ).getTags(); System.out.println(s3Tags.toString()); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Updating Storage Lens dashboard tags Update dashboard tags The following examples demonstrate how to update Storage Lens dashboard tags by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To update an AWS resource tag for a Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, navigate to **Storage Lens**. 1. Choose **Dashboards**. 1. Choose the radio button for the Storage Lens dashboard configuration that you want to view. Then, choose **View dashboard configuration**. 1. Under **Tags**, review the tags associated with the dashboard. 1. (Optional) If you want to add a new tag, choose **Edit**. Then, choose **Add tag**. On the **Add tag** page, add the new key-value pair. **Note** Adding a new tag with the same key as an existing tag overwrites the previous tag value. 1. (Optional) If you want to remove a newly added entry, choose **Remove** next to the tag that you want to remove. 1. Choose **Save changes**. ## Using the AWS CLI **Example** The following example command adds or replaces tags on an existing Amazon S3 Storage Lens dashboard configuration. To use these examples, replace the `user input placeholders` with your own information. ``` aws s3control put-storage-lens-configuration-tagging --account-id=111122223333 --config-id=example-dashboard-configuration-id --region=us-east-1 --config-id=your-configuration-id ``` ## Using the AWS SDK for Java The following AWS SDK for Java example updates the AWS resource tags on an existing Storage Lens dashboard. To use this example, replace the `user input placeholders` with your own information. **Example – Update tags on an existing Storage Lens dashboard configuration** ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.PutStorageLensConfigurationTaggingRequest; import com.amazonaws.services.s3control.model.StorageLensTag; import java.util.Arrays; import java.util.List; import static com.amazonaws.regions.Regions.US_WEST_2; public class PutDashboardTagging { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "111122223333"; try { List tags = Arrays.asList( new StorageLensTag().withKey("key-1").withValue("value-1"), new StorageLensTag().withKey("key-2").withValue("value-2") ); AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.putStorageLensConfigurationTagging(new PutStorageLensConfigurationTaggingRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) .withTags(tags) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Deleting AWS resource tags from a S3 Storage Lens dashboard Delete AWS resource tags from a dashboard The following examples demonstrate how to delete AWS resource tags from an existing Storage Lens dashboard. You can delete tags by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To delete AWS resource tags from an existing Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, navigate to **Storage Lens**. 1. Choose **Dashboards**. 1. Choose the radio button for the Storage Lens dashboard configuration that you want to view. Then, choose **View dashboard configuration**. 1. Under **Tags**, review the tags associated with the dashboard. 1. Choose **Remove** next to the tag that you want to remove. 1. Choose **Save changes**. ## Using the AWS CLI The following AWS CLI command deletes AWS resource tags from an existing Storage Lens dashboard. To use this example command, replace the `user input placeholders` with your own information. **Example** ``` aws s3control delete-storage-lens-configuration-tagging --account-id=222222222222 --config-id=your-configuration-id --region=us-east-1 ``` ## Using the AWS SDK for Java The following AWS SDK for Java example deletes an AWS resource tag from the Storage Lens dashboard using the Amazon Resource Name (ARN) that you specify in account `111122223333`. To use this example, replace the `user input placeholders` with your own information. **Example – Delete tags for an S3 Storage Lens dashboard configuration** ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.DeleteStorageLensConfigurationTaggingRequest; import static com.amazonaws.regions.Regions.US_WEST_2; public class DeleteDashboardTagging { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "111122223333"; try { AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.deleteStorageLensConfigurationTagging(new DeleteStorageLensConfigurationTaggingRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Helper files for using Amazon S3 Storage Lens Helper files Use the following JSON files and its key inputs for your examples. ## S3 Storage Lens example configuration in JSON **Example `config.json`** The `config.json` file contains the details of a S3 Storage Lens Organizations-level *advanced metrics and recommendations* configuration. To use the following example, replace the `user input placeholders` with your own information. Additional charges apply for advanced metrics and recommendations. For more information, see [advanced metrics and recommendations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_metrics_selection). ``` { "Id": "SampleS3StorageLensConfiguration", //Use this property to identify your S3 Storage Lens configuration. "AwsOrg": { //Use this property when enabling S3 Storage Lens for AWS Organizations. "Arn": "arn:aws:organizations::123456789012:organization/o-abcdefgh" }, "AccountLevel": { "ActivityMetrics": { "IsEnabled":true }, "AdvancedCostOptimizationMetrics": { "IsEnabled":true }, "AdvancedDataProtectionMetrics": { "IsEnabled":true }, "DetailedStatusCodesMetrics": { "IsEnabled":true }, "BucketLevel": { "ActivityMetrics": { "IsEnabled":true }, "AdvancedDataProtectionMetrics": { "IsEnabled":true }, "AdvancedCostOptimizationMetrics": { "IsEnabled":true }, "DetailedStatusCodesMetrics": { "IsEnabled":true }, "PrefixLevel":{ "StorageMetrics":{ "IsEnabled":true, "SelectionCriteria":{ "MaxDepth":5, "MinStorageBytesPercentage":1.25, "Delimiter":"/" } } } } }, "Exclude": { //Replace with "Include" if you prefer to include Regions. "Regions": [ "eu-west-1" ], "Buckets": [ //This attribute is not supported for AWS Organizations-level configurations. "arn:aws:s3:::amzn-s3-demo-source-bucket" ] }, "IsEnabled": true, //Whether the configuration is enabled "DataExport": { //Details about the metrics export "S3BucketDestination": { "OutputSchemaVersion": "V_1", "Format": "CSV", //You can add "Parquet" if you prefer. "AccountId": "111122223333", "Arn": "arn:aws:s3::: amzn-s3-demo-destination-bucket", // The destination bucket for your metrics export must be in the same Region as your S3 Storage Lens configuration. "Prefix": "prefix-for-your-export-destination", "Encryption": { "SSES3": {} } }, "CloudWatchMetrics": { "IsEnabled": true } } } ``` ## S3 Storage Lens example configuration with Storage Lens groups in JSON **Example `config.json`** The `config.json` file contains the details that you want to apply to your Storage Lens configuration when using Storage Lens groups. To use the example, replace the `user input placeholders` with your own information. To attach all Storage Lens groups to your dashboard, update your Storage Lens configuration with the following syntax: ``` { "Id": "ExampleS3StorageLensConfiguration", "AccountLevel": { "ActivityMetrics": { "IsEnabled":true }, "AdvancedCostOptimizationMetrics": { "IsEnabled":true }, "AdvancedDataProtectionMetrics": { "IsEnabled":true }, "BucketLevel": { "ActivityMetrics": { "IsEnabled":true }, "StorageLensGroupLevel": {}, "IsEnabled": true } ``` To include only two Storage Lens groups in your Storage Lens dashboard configuration (*slg-1* and *slg-2*), use the following syntax: ``` { "Id": "ExampleS3StorageLensConfiguration", "AccountLevel": { "ActivityMetrics": { "IsEnabled":true }, "AdvancedCostOptimizationMetrics": { "IsEnabled":true }, "AdvancedDataProtectionMetrics": { "IsEnabled":true }, "BucketLevel": { "ActivityMetrics": { "IsEnabled":true }, "StorageLensGroupLevel": { "SelectionCriteria": { "Include": [ "arn:aws:s3:us-east-1:111122223333:storage-lens-group/slg-1", "arn:aws:s3:us-east-1:444455556666:storage-lens-group/slg-2" ] }, "IsEnabled": true } ``` To exclude only certain Storage Lens groups from being attached to your dashboard configuration, use the following syntax: ``` { "Id": "ExampleS3StorageLensConfiguration", "AccountLevel": { "ActivityMetrics": { "IsEnabled":true }, "AdvancedCostOptimizationMetrics": { "IsEnabled":true }, "AdvancedDataProtectionMetrics": { "IsEnabled":true }, "BucketLevel": { "ActivityMetrics": { "IsEnabled":true }, "StorageLensGroupLevel": { "SelectionCriteria": { "Exclude": [ "arn:aws:s3:us-east-1:111122223333:storage-lens-group/slg-1", "arn:aws:s3:us-east-1:444455556666:storage-lens-group/slg-2" ] }, "IsEnabled": true } ``` ## S3 Storage Lens example tags configuration in JSON **Example `tags.json`** The `tags.json` file contains the tags that you want to apply to your S3 Storage Lens configuration. To use this example, replace the `user input placeholders` with your own information. ``` [ { "Key": "key1", "Value": "value1" }, { "Key": "key2", "Value": "value2" } ] ``` ## S3 Storage Lens example configuration IAM permissions **Example `permissions.json` – Specific dashboard name** This example policy shows an S3 Storage Lens IAM `permissions.json` file with a specific dashboard name specified. Replace *`value1`*, `us-east-1`, `your-dashboard-name`, and `example-account-id` with your own values. **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetStorageLensConfiguration", "s3:DeleteStorageLensConfiguration", "s3:PutStorageLensConfiguration" ], "Condition": { "StringEquals": { "aws:ResourceTag/key1": "value1" } }, "Resource": "arn:aws:s3:us-east-1:111122223333:storage-lens/your-dashboard-name" } ] } ``` **Example `permissions.json` – No specific dashboard name** This example policy shows an S3 Storage Lens IAM `permissions.json` file without a specific dashboard name specified. Replace *`value1`*, `us-east-1`, and `example-account-id` with your own values. **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetStorageLensConfiguration", "s3:DeleteStorageLensConfiguration", "s3:PutStorageLensConfiguration" ], "Condition": { "StringEquals": { "aws:ResourceTag/key1": "value1" } }, "Resource": "arn:aws:s3:us-east-1:111122223333:storage-lens/*" } ] } ``` # Viewing metrics with Amazon S3 Storage Lens Viewing storage metrics S3 Storage Lens aggregates your metrics and displays the information in the **Account snapshot** section on the Amazon S3 console **Buckets** page. S3 Storage Lens also provides an interactive dashboard that you can use to visualize insights and trends, flag outliers, and receive recommendations for optimizing storage costs and applying data protection best practices. Your dashboard has drill-down options to generate and visualize insights at the organization, account, AWS Region, storage class, bucket, prefix, or Storage Lens group level. You can also send a daily metrics report in CSV or Parquet format to a general purpose S3 bucket or export the metrics directly to an AWS-managed S3 table bucket. By default, all dashboards are configured with free metrics, which include metrics that you can use to understand usage and activity across your S3 storage, optimize your storage costs, and implement data-protection and access-management best practices. Free metrics are aggregated down to the bucket level. With free metrics, data is available for queries for up to 14 days. Advanced metrics and recommendations include the following additional features that you can use to gain further insight into usage and activity across your storage and best practices for optimizing your storage: + Contextual recommendations (available only in the dashboard) + Advanced metrics (including activity metrics aggregated by bucket) + Prefix aggregation + Storage Lens group aggregation + Storage Lens group aggregation + Amazon CloudWatch publishing Advanced metrics data is available for queries for 15 months. There are additional charges for using S3 Storage Lens with advanced metrics. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). For more information about free and advanced metrics, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). **Topics** + [ # Viewing S3 Storage Lens metrics on the dashboards ](storage_lens_view_metrics_dashboard.md) + [ # Viewing Amazon S3 Storage Lens metrics using a data export ](storage_lens_view_metrics_export.md) + [ # Monitor S3 Storage Lens metrics in CloudWatch ](storage_lens_view_metrics_cloudwatch.md) + [ # Amazon S3 Storage Lens metrics use cases ](storage-lens-use-cases.md) # Viewing S3 Storage Lens metrics on the dashboards Viewing metrics on the dashboards In the Amazon S3 console, S3 Storage Lens provides an interactive default dashboard that you can use to visualize insights and trends in your data. You can also use this dashboard to flag outliers and receive recommendations for optimizing storage costs and applying data-protection best practices. Your dashboard has drill-down options to generate insights at the account, bucket, AWS Region, prefix, or Storage Lens group level. If you've enabled S3 Storage Lens to work with AWS Organizations, you can also generate insights at the organization level (such as data for all accounts that are part of your AWS Organizations hierarchy). The dashboard always loads for the latest date that has metrics available. The S3 Storage Lens default dashboard on the console is named **default-account-dashboard**. Amazon S3 pre-configures this dashboard to visualize the summarized insights and trends for your entire account and updates them daily in the S3 console. You can't modify the configuration scope of the default dashboard, but you can upgrade the metrics selection from the free metrics to the paid advanced metrics and recommendations. With advanced metrics and recommendations, you can access additional metrics and features. These features include advanced metric categories, prefix-level aggregation, contextual recommendations, and Amazon CloudWatch publishing. You can disable the default dashboard, but you can't delete it. If you disable your default dashboard, it is no longer updated. You also will no longer receive any new daily metrics in S3 Storage Lens or in the **Account snapshot** section on the **Buckets** page. You can still see historic data in the default dashboard until the 14-day period for data queries expires. This period is 15 months if you've enabled advanced metrics and recommendations. To access this data, you can re-enable the default dashboard within the expiration period. You can create additional S3 Storage Lens dashboards and scope them by AWS Regions, S3 buckets, or accounts. You can also scope your dashboards by organization if you've enabled Storage Lens to work with AWS Organizations. When you create or edit an S3 Storage Lens dashboard, you define your dashboard scope and metrics selection. You can disable or delete any additional dashboards that you create. + If you disable a dashboard, it is no longer updated, and you will no longer receive any new daily metrics. You can still see historic data for free metrics until the 14-day expiration period. If you enabled advanced metrics and recommendations for that dashboard, this period is 15 months. To access this data, you can re-enable the dashboard within the expiration period. + If you delete your dashboard, you lose all your dashboard configuration settings. You will no longer receive any new daily metrics, and you also lose access to the historical data associated with that dashboard. If you want to access the historic data for a deleted dashboard, you must create another dashboard with the same name in the same home Region. **Topics** + [ ## Viewing an Amazon S3 Storage Lens dashboard ](#storage_lens_console_viewing) + [ ## Understanding your S3 Storage Lens dashboard ](#storage_lens_console_viewing_dashboard) ## Viewing an Amazon S3 Storage Lens dashboard Viewing a dashboard The following procedure shows how to view an S3 Storage Lens dashboard in the S3 console. For use-case based walkthroughs that show how to use your dashboard to optimize costs, implement best practices, and improve the performance of applications that access your S3 buckets, see [Amazon S3 Storage Lens metrics use cases](storage-lens-use-cases.md). **Note** You can't use your account's root user credentials to view Amazon S3 Storage Lens dashboards. To access S3 Storage Lens dashboards, you must grant the required AWS Identity and Access Management (IAM) permissions to a new or existing IAM user. Then, sign in with those user credentials to access S3 Storage Lens dashboards. For more information, see [Setting Amazon S3 Storage Lens permissions](storage_lens_iam_permissions.md) and [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*. 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. Your dashboard opens in S3 Storage Lens. The **Snapshot for *date*** section shows the latest date that S3 Storage Lens has collected metrics for. Your dashboard always loads the latest date that has metrics available. 1. (Optional) To change the date for your S3 Storage Lens dashboard, in the top-right date selector, choose a new date. 1. (Optional) To apply temporary filters to further limit the scope of your dashboard data, do the following: 1. Expand the **Filters** section. 1. To filter by specific accounts, AWS Regions, storage classes, buckets, prefixes, or Storage Lens groups, choose the options to filter by. **Note** The **Prefixes** filter and the **Storage Lens groups** filter can’t be applied at the same time. 1. To update a filter, choose **Apply**. 1. To remove a filter, click on the **X** next to the filter. 1. In any section in your S3 Storage Lens dashboard, to see data for a specific metric, for **Metric**, choose the metric name. 1. In any chart or visualization in your S3 Storage Lens dashboard, you can drill down into deeper levels of aggregation by using the **Accounts**, **AWS Regions**, **Storage classes**, **Buckets**, **Prefixes**, or **Storage Lens groups** tabs. For an example, see [Uncover cold Amazon S3 buckets](storage-lens-optimize-storage.md#uncover-cold-buckets). ## Understanding your S3 Storage Lens dashboard Understanding your dashboard Your S3 Storage Lens dashboard has a primary **Overview** tab, and up to five additional tabs that represent each aggregation level: + **Accounts** + **AWS Regions** + **Storage classes** + **Buckets** + **Prefixes** + **Storage Lens groups** On the **Overview** tab, your dashboard data is aggregated into three different sections: **Snapshot for *date***, **Trends and distributions**, and **Top N overview**. For more information about your S3 Storage Lens dashboard, see the following sections. ### Snapshot The **Snapshot for *date*** section shows summary metrics that S3 Storage Lens has aggregated for the date selected. These summary metrics include the following metrics: + **Total storage** – The total amount of storage used in bytes. + **Object count** – The total number of objects in your AWS account. + **Average object size** – The average object size. + **Active buckets** – The total number of active buckets in active usage with storage > 0 bytes in your account. + **Accounts** – The number of accounts whose storage is in scope. This value is **1** unless you are using AWS Organizations and your S3 Storage Lens has trusted access with a valid service-linked role. For more information, see [Using service-linked roles for Amazon S3 Storage Lens](using-service-linked-roles.md). + **Buckets** – The total number of buckets in your account. **Metric data** For each metric that appears in the snapshot, you can see the following data: + **Metric name** – The name of the metric. + **Metric category** – The category that the metric is organized into. + **Total for *date*** – The total count for the date selected. + **% change** – The percentage change from the last snapshot date. + **30-day trend** – A trend-line showing the changes for the metric over a 30-day period. + **Recommendation** – A contextual recommendation based on the data that's provided in the snapshot. Recommendations are available with advanced metrics and recommendations. For more information, see [Recommendations](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_recommendations). **Metrics categories** You can optionally update your dashboard **Snapshot for *date*** section to display metrics for other categories. If you want to see snapshot data for additional metrics, you can choose from the following **Metrics categories**: + **Cost optimization** + **Data protection** + **Activity** (available with advanced metrics) + **Access management** + **Performance** + **Events** The **Snapshot for *date*** section displays only a selection of metrics for each category. To see all metrics for a specific category, choose the metric in the **Trends and distributions** or **Top N overview** sections. For more information about metric categories, see [Metrics categories](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_types). For a complete list of S3 Storage Lens metrics, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). ### Trends and distributions The second section of the **Overview** tab is **Trends and distributions**. In the **Trends and distributions** section, you can choose two metrics to compare over a date range that you define. The **Trends and distributions** section shows the relationship between two metrics over time. This section displays charts that you can use to see the **Storage class** and **Region** distribution between the two trends that you are tracking. You can optionally drill down into a data point in one of the charts for deeper analysis. For a walkthrough that uses the **Trends and distributions** section, see [Identify buckets that don't use server-side encryption with AWS KMS for default encryption (SSE-KMS)](storage-lens-data-protection.md#storage-lens-sse-kms). ### Top N overview The third section of the S3 Storage Lens dashboard is **Top N overview** (sorted in ascending or descending order). This section displays your selected metrics across the top number of accounts, AWS Regions, buckets, prefixes, or Storage Lens groups. If you enabled S3 Storage Lens to work with AWS Organizations, you can also see your selected metrics across your organization. For a walkthrough that uses the **Top N overview** section, see [Identify your largest S3 buckets](storage-lens-optimize-storage.md#identify-largest-s3-buckets). ### Drill down and analyze by options To provide a fluid experience for analysis, the S3 Storage Lens dashboard provides an action menu, which appears when you choose any chart value. To use this menu, choose any chart value to see the associated metrics values, and then choose from two options in the box that appears: + The **Drill down** action applies the selected value as a filter across all tabs of your dashboard. You can then drill down into that value for deeper analysis. + The **Analyze by** action takes you to the **Dimension** tab that you select and applies that tab value as a filter. These tabs include **Accounts**, **AWS Regions**, **Storage classes**, **Buckets**, **Prefixes** (for dashboards that have **Advanced metrics** and **Prefix aggregation** enabled), and **Storage Lens groups** (for dashboards that have **Advanced metrics** and **Storage Lens group aggregation** enabled). With **Analyze by**, you can view the data in the context of the new dimension for deeper analysis. The **Drill down** and **Analyze by** actions might be disabled if the outcome would yield illogical results or would not have any value. Both the **Drill down** and **Analyze by** actions apply filters on top of any existing filters across all tabs of the dashboard. You can also remove the filters as needed. ### Tabs The dimension-level tabs provide a detailed view of all values within a particular dimension. For example, the **AWS Regions** tab shows metrics for all AWS Regions, and the **Buckets** tab shows metrics for all buckets. Each dimension tab contains an identical layout consisting of four sections: + A trend chart that displays your top *N* items within the dimension over the last 30 days for the selected metric. By default, this chart displays the top 10 items, but you can decrease it to at least 3 items or increase it up to 50 items. + A histogram chart that shows a vertical bar chart for the selected date and metric. If you have a large number of items to display in this chart, you might need to scroll horizontally. + A bubble analysis chart that plots all items within the dimension. This chart represents the first metric on the x axis and the second metric on the y axis. The third metric is represented by the size of the bubble. + A metric grid view that contains each item in the dimension listed in rows. The columns represent each available metric, arranged in metrics category tabs for easier navigation. # Viewing Amazon S3 Storage Lens metrics using a data export Viewing metrics in a data export Amazon S3 Storage Lens metrics are generated daily in CSV or Apache Parquet-formatted metrics export files and placed in an S3 general purpose bucket in your account. From there, you can ingest the metrics export into the analytics tools of your choice, such as Amazon Quick and Amazon Athena, where you can analyze storage usage and activity trends. You can also send daily metric exports to an AWS-managed S3 table bucket for immediate querying, using AWS analytics services or third-party tools. **Topics** + [ # Using an AWS KMS key to encrypt your metrics exports ](storage_lens_encrypt_permissions.md) + [ # What is an S3 Storage Lens export manifest? ](storage_lens_whatis_metrics_export_manifest.md) + [ # Understanding the Amazon S3 Storage Lens export schemas ](storage_lens_understanding_metrics_export_schema.md) # Using an AWS KMS key to encrypt your metrics exports Encrypting metrics exports To grant Amazon S3 Storage Lens permission to encrypt your metrics exports by using a customer managed key, you must use a key policy. To update your key policy so that you can use a KMS key to encrypt your S3 Storage Lens metrics exports, follow these steps. **To grant S3 Storage Lens permissions to encrypt data by using your KMS key** 1. Sign into the AWS Management Console by using the AWS account that owns the customer managed key. 1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). 1. To change the AWS Region, use the **Region selector** in the upper-right corner of the page. 1. In the left navigation pane, choose **Customer managed keys**. 1. Under **Customer managed keys**, choose the key that you want to use to encrypt the metrics exports. AWS KMS keys are Region-specific and must be in the same Region as the metrics export destination S3 bucket. 1. Under **Key policy**, choose **Switch to policy view**. 1. To update the key policy, choose **Edit**. 1. Under **Edit key policy**, add the following key policy to the existing key policy. To use this policy, replace the ` user input placeholders ` with your information. ``` { "Sid": "Allow Amazon S3 Storage Lens use of the KMS key", "Effect": "Allow", "Principal": { "Service": "storage-lens.s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:s3:us-east-1: source-account-id:storage-lens/your-dashboard-name", "aws:SourceAccount": "source-account-id" } } } ``` 1. Choose **Save changes**. For more information about creating customer managed keys and using key policies, see the following topics in the *AWS Key Management Service Developer Guide*: + [Create a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) + [Key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) You can also use the AWS KMS `PUT` key policy API operation ([https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html)) to copy the key policy to the customer managed keys that you want to use to encrypt the metrics exports by using the REST API, AWS CLI, and SDKs. # What is an S3 Storage Lens export manifest? What is an export manifest? S3 Storage Lens daily metrics exports in general-purpose buckets may be split into multiple files due to the large amount of data aggregated. The manifest file `manifest.json` describes where the metrics export files for that day are located. Whenever a new export is delivered, it's accompanied by a new manifest. Each manifest contained in the `manifest.json` file provides metadata and other basic information about the export. The manifest information includes the following properties: + `sourceAccountId` – The account ID of the configuration owner. + `configId` – A unique identifier for the dashboard. + `destinationBucket` – The destination bucket Amazon Resource Name (ARN) that the metrics export is placed in. + `reportVersion` – The version of the export. + `reportDate` – The date of the report. + `reportFormat` – The format of the report. + `reportSchema` – The schema of the report. + `reportFiles` – The actual list of the export report files that are in the destination bucket. Manifest destination path example: ``` user-defined-prefix/StorageLens/111122223333/example-dashboard-configuration-id/V_1/manifests/dt=2025-03-18/manifest.json ``` The following example shows a `manifest.json` file for a CSV-formatted Storage Lens default metrics report: ``` { "sourceAccountId": "111122223333", "configId": "example-dashboard-configuration-id", "destinationBucket": "arn:aws:s3:::amzn-s3-demo-destination-bucket", "reportVersion": "V_1", "reportDate": "2025-07-15", "reportFormat": "CSV", "reportSchema": "version_number,configuration_id,report_date,aws_account_number,aws_region,storage_class,record_type,record_value,bucket_name,metric_name,metric_value", "reportFiles": [ { "key": "DestinationPrefix/StorageLens/111122223333/example-dashboard-configuration-id/V_1/reports/dt=2025-07-15/12345678-1234-1234-1234-123456789012.csv", "size": 1603959, "md5Checksum": "2177e775870def72b8d84febe1ad3574" } ] } ``` The following example shows a `manifest.json` file for a CSV-formatted Storage Lens expanded prefixes metrics report: ``` { "sourceAccountId": "111122223333", "configId": "example-dashboard-configuration-id", "destinationBucket": "arn:aws:s3:::amzn-s3-demo-destination-bucket", "reportVersion": "V_1", "reportDate": "2025-11-03", "reportFormat": "CSV", "reportSchema": "version_number,configuration_id,report_date,aws_account_number,aws_region,storage_class,record_type,record_value,bucket_name,metric_name,metric_value", "reportFiles": [ { "key": "DestinationPrefix/StorageLensExpandedPrefixes/111122223333/example-dashboard-configuration-id/V_1/reports/dt=2025-11-03/EXAMPLE1234-56ab-78cd-90ef-EXAMPLE11111.csv", "size": 1603959, "md5Checksum": "2177e775870def72b8d84febe1ad3574" } ] } ``` The following example shows a `manifest.json` file for a Parquet-formatted Storage Lens default metrics report: ``` { "sourceAccountId": "111122223333", "configId": "example-dashboard-configuration-id", "destinationBucket": "arn:aws:s3:::amzn-s3-demo-destination-bucket", "reportVersion": "V_1", "reportDate": "2025-11-03", "reportFormat": "Parquet", "reportSchema": "message s3.storage.lens { required string version_number; required string configuration_id; required string report_date; required string aws_account_number; required string aws_region; required string storage_class; required string record_type; required string record_value; required string bucket_name; required string metric_name; required long metric_value; }", "reportFiles": [ { "key": "DestinationPrefix/StorageLens/111122223333/example-dashboard-configuration-id/V_1/reports/dt=2025-11-03/bd23de7c-b46a-4cf4-bcc5-b21aac5be0f5.par", "size": 14714, "md5Checksum": "b5c741ee0251cd99b90b3e8eff50b944" } ] } ``` The following example shows a `manifest.json` file for a Parquet-formatted Storage Lens expanded prefixes metrics report: ``` { "sourceAccountId": "111122223333", "configId": "example-dashboard-configuration-id", "destinationBucket": "arn:aws:s3:::amzn-s3-demo-destination-bucket", "reportVersion": "V_1", "reportDate": "2025-11-03", "reportFormat": "Parquet", "reportSchema": "message s3.storage.lens { required string version_number; required string configuration_id; required string report_date; required string aws_account_number; required string aws_region; required string storage_class; required string record_type; required string record_value; required string bucket_name; required string metric_name; required long metric_value; }", "reportFiles": [ { "key": "DestinationPrefix/StorageLensExpandedPrefixes/111122223333/example-dashboard-configuration-id/V_1/reports/dt=2025-11-03/bd23de7c-b46a-4cf4-bcc5-b21aac5be0f5.par", "size": 14714, "md5Checksum": "b5c741ee0251cd99b90b3e8eff50b944" } ] } ``` You can configure your metrics export to be generated as part of your dashboard configuration in the Amazon S3 console or by using the Amazon S3 REST API, AWS CLI, and SDKs. # Understanding the Amazon S3 Storage Lens export schemas S3 Storage Lens export schemas S3 Storage Lens export schemas vary depending on your export destination. Choose the appropriate schema based on whether you're exporting to S3 general purpose buckets or S3 tables. **Topics** + [ ## Export schema for S3 general purpose buckets ](#storage_lens_general_purpose_bucket_schema) + [ ## Export schemas for S3 tables ](#storage_lens_s3_tables_schema) ## Export schema for S3 general purpose buckets General purpose bucket schema The following table contains the schema of your S3 Storage Lens metrics export when exporting to S3 general purpose buckets. | Attribute name | Data type | Column name | Description | | --- | --- | --- | --- | | VersionNumber | String | version\$1number | The version of the S3 Storage Lens metrics being used. | | ConfigurationId | String | configuration\$1id | The configuration\$1id of your S3 Storage Lens configuration. | | ReportDate | String | report\$1date | The date that the metrics were tracked. | | AwsAccountNumber | String | aws\$1account\$1number | Your AWS account number. | | AwsRegion | String | aws\$1region | The AWS Region for which the metrics are being tracked. | | StorageClass | String | storage\$1class | The storage class of the bucket in question. | | RecordType | ENUM | record\$1type | The type of artifact that is being reported (ACCOUNT, BUCKET, or PREFIX). | | RecordValue | String | record\$1value | The value of the RecordType artifact. The `record_value` is URL-encoded. | | BucketName | String | bucket\$1name | The name of the bucket that is being reported. | | MetricName | String | metric\$1name | The name of the metric that is being reported. | | MetricValue | Long | metric\$1value | The value of the metric that is being reported. | ### Example of an S3 Storage Lens metrics export Metrics export example The following is an example of an S3 Storage Lens metrics export based on this schema. **Note** You can identify metrics for Storage Lens groups by looking for the `STORAGE_LENS_GROUP_BUCKET` or `STORAGE_LENS_GROUP_ACCOUNT` values in the `record_type` column. The `record_value` column will display the Amazon Resource Name (ARN) for the Storage Lens group, for example, `arn:aws:s3:us-east-1:123456789012:storage-lens-group/slg-1`. ![\[An example S3 Storage Lens metrics export file.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/sample_storage_lens_export.png) The following is an example of an S3 Storage Lens metrics export with Storage Lens groups data. ![\[An example S3 Storage Lens metrics export file with Storage Lens groups data.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/StorageLensGroups_metricsexport.png) ## Export schemas for S3 tables S3 tables schemas When exporting S3 Storage Lens metrics to S3 tables, the data is organized into three separate table schemas: storage metrics, bucket property metrics, and activity metrics. **Topics** + [ ### Storage metrics table schema ](#storage_lens_s3_tables_storage_metrics) + [ ### Bucket property metrics table schema ](#storage_lens_s3_tables_bucket_property_metrics) + [ ### Activity metrics table schema ](#storage_lens_s3_tables_activity_metrics) ### Storage metrics table schema Storage metrics schema | Name | Type | Description | | --- | --- | --- | | version\$1number | string | Version identifier of the schema of the table | | configuration\$1id | string | S3 Storage Lens configuration name | | report\$1time | timestamptz | Date the S3 Storage Lens report refers to | | aws\$1account\$1id | string | Account id the entry refers to | | aws\$1region | string | Region | | storage\$1class | string | Storage Class | | record\$1type | string | Type of record, related to what is the level of aggregation of data. Values: ACCOUNT, BUCKET, PREFIX, LENS GROUP. | | record\$1value | string | Disambiguator for record types that have more than one record under them. It is used to reference the prefix | | bucket\$1name | string | Bucket name | | object\$1count | long | Number of objects stored for the current referenced item | | storage\$1bytes | DECIMAL(38,0) | Number of bytes stored for the current referenced item | | bucket\$1key\$1sse\$1kms\$1object\$1count | long | Number of objects encrypted with a customer managed key stored for the current referenced item | | bucket\$1key\$1sse\$1kms\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes encrypted with a customer managed key stored for the current referenced item | | current\$1version\$1object\$1count | long | Number of current version objects stored for the current referenced item | | current\$1version\$1storage\$1bytes | DECIMAL(38,0) | Number of current version bytes stored for the current referenced item | | delete\$1marker\$1object\$1count | long | Number of delete marker objects stored for the current referenced item | | delete\$1marker\$1storage\$1bytes | DECIMAL(38,0) | Number of delete marker bytes stored for the current referenced item | | encrypted\$1object\$1count | long | Number of encrypted objects stored for the current referenced item | | encrypted\$1storage\$1bytes | DECIMAL(38,0) | Number of encrypted bytes stored for the current referenced item | | incomplete\$1mpu\$1object\$1older\$1than\$17\$1days\$1count | long | Number of incomplete multipart upload objects older than 7 days stored for the current referenced item | | incomplete\$1mpu\$1storage\$1older\$1than\$17\$1days\$1bytes | DECIMAL(38,0) | Number of incomplete multipart upload bytes stored older than 7 days for the current referenced item | | incomplete\$1mpu\$1object\$1count | long | Number of incomplete multipart upload objects stored for the current referenced item | | incomplete\$1mpu\$1storage\$1bytes | DECIMAL(38,0) | Number of incomplete multipart upload bytes stored for the current referenced item | | non\$1current\$1version\$1object\$1count | long | Number of non-current version objects stored for the current referenced item | | non\$1current\$1version\$1storage\$1bytes | DECIMAL(38,0) | Number of non-current version bytes stored for the current referenced item | | object\$1lock\$1enabled\$1object\$1count | long | Number of objects stored for for objects with lock enabled in the current referenced item | | object\$1lock\$1enabled\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes stored for objects with lock enabled in the current referenced item | | replicated\$1object\$1count | long | Number of objects replicated for the current referenced item | | replicated\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes replicated for the current referenced item | | replicated\$1object\$1source\$1count | long | Number of objects replicated as source stored for the current referenced item | | replicated\$1storage\$1source\$1bytes | DECIMAL(38,0) | Number of bytes replicated as source for the current referenced item | | sse\$1kms\$1object\$1count | long | Number of objects encrypted with SSE key stored for the current referenced item | | sse\$1kms\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes encrypted with SSE key stored for the current referenced item | | object\$10kb\$1count | long | Number of objects with sizes equal to 0KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$10kb\$1to\$1128kb\$1count | long | Number of objects with sizes greater than 0KB and less than equal to 128KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1128kb\$1to\$1256kb\$1count | long | Number of objects with sizes greater than 128KB and less than equal to 256KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1256kb\$1to\$1512kb\$1count | long | Number of objects with sizes greater than 256KB and less than equal to 512KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1512kb\$1to\$11mb\$1count | long | Number of objects with sizes greater than 512KB and less than equal to 1MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$11mb\$1to\$12mb\$1count | long | Number of objects with sizes greater than 1MB and less than equal to 2MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$12mb\$1to\$14mb\$1count | long | Number of objects with sizes greater than 2MB and less than equal to 4MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$14mb\$1to\$18mb\$1count | long | Number of objects with sizes greater than 4MB and less than equal to 8MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$18mb\$1to\$116mb\$1count | long | Number of objects with sizes greater than 8MB and less than equal to 16MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$116mb\$1to\$132mb\$1count | long | Number of objects with sizes greater than 16MB and less than equal to 32MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$132mb\$1to\$164mb\$1count | long | Number of objects with sizes greater than 32MB and less than equal to 64MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$164mb\$1to\$1128mb\$1count | long | Number of objects with sizes greater than 64MB and less than equal to 128MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1128mb\$1to\$1256mb\$1count | long | Number of objects sizes greater than 128MB and less than equal to 256MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1256mb\$1to\$1512mb\$1count | long | Number of objects sizes greater than 256MB and less than equal to 512MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1512mb\$1to\$11gb\$1count | long | Number of objects sizes greater than 512MB and less than equal to 1GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$11gb\$1to\$12gb\$1count | long | Number of objects sizes greater than 1GB and less than equal to 2GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$12gb\$1to\$14gb\$1count | long | Number of objects sizes greater than 2GB and less than equal to 4GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1larger\$1than\$14gb\$1count | long | Number of objects sizes greater than 4GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | ### Bucket property metrics table schema Bucket property metrics schema | Name | Type | Description | | --- | --- | --- | | version\$1number | string | Version identifier of the schema of the table | | configuration\$1id | string | S3 Storage Lens configuration name | | report\$1time | timestamptz | Date the S3 Storage Lens report refers to | | aws\$1account\$1id | string | Account id the entry refers to | | record\$1type | string | Type of record, related to what is the level of aggregation of data. Values: ACCOUNT, BUCKET, PREFIX, LENS GROUP. | | record\$1value | string | Disambiguator for record types that have more than one record under them. It is used to reference the prefix. | | aws\$1region | string | Region | | storage\$1class | string | Storage Class | | bucket\$1name | string | Bucket name | | versioning\$1enabled\$1bucket\$1count | long | Number of buckets with versioning enabled for the current referenced item | | mfa\$1delete\$1enabled\$1bucket\$1count | long | Number of buckets with MFA delete enabled for the current referenced item | | sse\$1kms\$1enabled\$1bucket\$1count | long | Number of buckets with KMS enabled for the current referenced item | | object\$1ownership\$1bucket\$1owner\$1enforced\$1bucket\$1count | long | Number of buckets with Object Ownership bucket owner enforced for the current referenced item | | object\$1ownership\$1bucket\$1owner\$1preferred\$1bucket\$1count | long | Number of buckets with Object Ownership bucket owner preferred for the current referenced item | | object\$1ownership\$1object\$1writer\$1bucket\$1count | long | Number of buckets with Object Ownership object writer for the current referenced item | | transfer\$1acceleration\$1enabled\$1bucket\$1count | long | Number of buckets with transfer acceleration enabled for the current referenced item | | event\$1notification\$1enabled\$1bucket\$1count | long | Number of buckets with event notification enabled for the current referenced item | | transition\$1lifecycle\$1rule\$1count | long | Number of transition lifecycle rules for the current referenced item | | expiration\$1lifecycle\$1rule\$1count | long | Number of expiration lifecycle rules for the current referenced item | | non\$1current\$1version\$1transition\$1lifecycle\$1rule\$1count | long | Number of noncurrent version transition lifecycle rules for the current referenced item | | non\$1current\$1version\$1expiration\$1lifecycle\$1rule\$1count | long | Number of noncurrent version expiration lifecycle rules for the current referenced item | | abort\$1incomplete\$1multipart\$1upload\$1lifecycle\$1rule\$1count | long | Number of abort incomplete multipart upload lifecycle rules for the current referenced item | | expired\$1object\$1delete\$1marker\$1lifecycle\$1rule\$1count | long | Number of expire object delete marker lifecycle rules for the current referenced item | | same\$1region\$1replication\$1rule\$1count | long | Number of Same-Region Replication rule count for the current referenced item | | cross\$1region\$1replication\$1rule\$1count | long | Number of Cross-Region Replication rule count for the current referenced item | | same\$1account\$1replication\$1rule\$1count | long | Number of Same-account replication rule count for the current referenced item | | cross\$1account\$1replication\$1rule\$1count | long | Number of Cross-account replication rule count for the current referenced item | | invalid\$1destination\$1replication\$1rule\$1count | long | Number of buckets with Invalid destination replication for the current referenced item | ### Activity metrics table schema Activity metrics schema | Name | Type | Description | | --- | --- | --- | | version\$1number | string | Version identifier of the schema of the table | | configuration\$1id | string | S3 Storage Lens configuration name | | report\$1time | timestamptz | Date the S3 Storage Lens report refers to | | aws\$1account\$1id | string | Account id the entry refers to | | aws\$1region | string | Region | | storage\$1class | string | Storage Class | | record\$1type | string | Type of record, related to what is the level of aggregation of data. Values: ACCOUNT, BUCKET, PREFIX. | | record\$1value | string | Disambiguator for record types that have more than one record under them. It is used to reference the prefix | | bucket\$1name | string | Bucket name | | all\$1request\$1count | long | Number of \$1all\$1 requests for the current referenced item | | all\$1sse\$1kms\$1encrypted\$1request\$1count | long | Number of KMS encrypted requests for the current referenced item | | all\$1unsupported\$1sig\$1request\$1count | long | Number of unsupported sig requests for the current referenced item | | all\$1unsupported\$1tls\$1request\$1count | long | Number of unsupported TLS requests for the current referenced item | | bad\$1request\$1error\$1400\$1count | long | Number of 400 bad request errors for the current referenced item | | delete\$1request\$1count | long | Number of delete requests for the current referenced item | | downloaded\$1bytes | decimal(0,0) | Number of downloaded bytes for the current referenced item | | error\$14xx\$1count | long | Number of 4xx errors for the current referenced item | | error\$15xx\$1count | long | Number of 5xx errors for the current referenced item | | forbidden\$1error\$1403\$1count | long | Number of 403 forbidden errors for the current referenced item | | get\$1request\$1count | long | Number of get requests for the current referenced item | | head\$1request\$1count | long | Number of head requests for the current referenced item | | internal\$1server\$1error\$1500\$1count | long | Number of 500 internal server errors for the current referenced item | | list\$1request\$1count | long | Number of list requests for the current referenced item | | not\$1found\$1error\$1404\$1count | long | Number of 404 not found errors for the current referenced item | | ok\$1status\$1200\$1count | long | Number of 200 OK requests for the current referenced item | | partial\$1content\$1status\$1206\$1count | long | Number of 206 partial content requests for the current referenced item | | post\$1request\$1count | long | Number of post requests for the current referenced item | | put\$1request\$1count | long | Number of put requests for the current referenced item | | select\$1request\$1count | long | Number of select requests for the current referenced item | | select\$1returned\$1bytes | decimal(0,0) | Number of bytes returned by select requests for the current referenced item | | select\$1scanned\$1bytes | decimal(0,0) | Number of bytes scanned by select requests for the current referenced item | | service\$1unavailable\$1error\$1503\$1count | long | Number of 503 service unavailable errors for the current referenced item | | uploaded\$1bytes | decimal(0,0) | Number of uploaded bytes for the current referenced item | | average\$1first\$1byte\$1latency | long | Average per-request time between when an S3 bucket receives a complete request and when it starts returning the response, measured over the past 24 hours | | average\$1total\$1request\$1latency | long | Average elapsed per-request time between the first byte received and the last byte sent to an S3 bucket, measured over the past 24 hours | | read\$10kb\$1request\$1count | long | Number of GetObject requests with data sizes of 0KB, including both range-based requests and whole object requests | | read\$10kb\$1to\$1128kb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 0KB and up to 128KB, including both range-based requests and whole object requests | | read\$1128kb\$1to\$1256kb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 128KB and up to 256KB, including both range-based requests and whole object requests | | read\$1256kb\$1to\$1512kb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 256KB and up to 512KB, including both range-based requests and whole object requests | | read\$1512kb\$1to\$11mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 512KB and up to 1MB, including both range-based requests and whole object requests | | read\$11mb\$1to\$12mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 1MB and up to 2MB, including both range-based requests and whole object requests | | read\$12mb\$1to\$14mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 2MB and up to 4MB, including both range-based requests and whole object requests | | read\$14mb\$1to\$18mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 4MB and up to 8MB, including both range-based requests and whole object requests | | read\$18mb\$1to\$116mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 8MB and up to 16MB, including both range-based requests and whole object requests | | read\$116mb\$1to\$132mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 16MB and up to 32MB, including both range-based requests and whole object requests | | read\$132mb\$1to\$164mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 32MB and up to 64MB, including both range-based requests and whole object requests | | read\$164mb\$1to\$1128mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 64MB and up to 128MB, including both range-based requests and whole object requests | | read\$1128mb\$1to\$1256mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 128MB and up to 256MB, including both range-based requests and whole object requests | | read\$1256mb\$1to\$1512mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 256MB and up to 512MB, including both range-based requests and whole object requests | | read\$1512mb\$1to\$11gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 512MB and up to 1GB, including both range-based requests and whole object requests | | read\$11gb\$1to\$12gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 1GB and up to 2GB, including both range-based requests and whole object requests | | read\$12gb\$1to\$14gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 2GB and up to 4GB, including both range-based requests and whole object requests | | read\$1larger\$1than\$14gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 4GB, including both range-based requests and whole object requests | | write\$10kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes of 0KB | | write\$10kb\$1to\$1128kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 0KB and up to 128KB | | write\$1128kb\$1to\$1256kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 128KB and up to 256KB | | write\$1256kb\$1to\$1512kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 256KB and up to 512KB | | write\$1512kb\$1to\$11mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 512KB and up to 1MB | | write\$11mb\$1to\$12mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 1MB and up to 2MB | | write\$12mb\$1to\$14mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 2MB and up to 4MB | | write\$14mb\$1to\$18mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 4MB and up to 8MB | | write\$18mb\$1to\$116mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 8MB and up to 16MB | | write\$116mb\$1to\$132mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 16MB and up to 32MB | | write\$132mb\$1to\$164mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 32MB and up to 64MB | | write\$164mb\$1to\$1128mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 64MB and up to 128MB | | write\$1128mb\$1to\$1256mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 128MB and up to 256MB | | write\$1256mb\$1to\$1512mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 256MB and up to 512MB | | write\$1512mb\$1to\$11gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 512MB and up to 1GB | | write\$11gb\$1to\$12gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 1GB and up to 2GB | | write\$12gb\$1to\$14gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 2GB and up to 4GB | | write\$1larger\$1than\$14gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 4GB | | concurrent\$1put\$1503\$1error\$1count | long | Number of 503 errors that are generated due to concurrent writes to the same object | | cross\$1region\$1request\$1count | long | Number of requests that originate from a client in different Region than bucket's home Region | | cross\$1region\$1transferred\$1bytes | decimal(0,0) | Number of bytes that are transferred from calls in different Region than bucket's home Region | | cross\$1region\$1without\$1replication\$1request\$1count | long | Number of requests that originate from a client in different Region than bucket's home Region, excluding cross-region replication requests | | cross\$1region\$1without\$1replication\$1transferred\$1bytes | decimal(0,0) | Number of bytes that are transferred from calls in different Region than bucket's home Region, excluding cross-region replication bytes | | inregion\$1request\$1count | long | Number of requests that originate from a client in same Region as bucket's home Region | | inregion\$1transferred\$1bytes | decimal(0,0) | Number of bytes that are transferred from calls from same Region as bucket's home Region | | unique\$1objects\$1accessed\$1daily\$1count | long | Number of objects that were accessed at least once in last 24 hrs | # Monitor S3 Storage Lens metrics in CloudWatch You can publish S3 Storage Lens metrics to Amazon CloudWatch to create a unified view of your operational health in [CloudWatch dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). You can also use CloudWatch features, such as alarms and triggered actions, metric math, and anomaly detection, to monitor and take action on S3 Storage Lens metrics. In addition, CloudWatch API operations enable applications, including third-party providers, to access your S3 Storage Lens metrics. For more information about CloudWatch features, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html). You can enable the CloudWatch publishing option for new or existing dashboard configurations by using the Amazon S3 console, Amazon S3 REST API, AWS CLI, and AWS SDKs. Dashboards that are upgraded to S3 Storage Lens advanced metrics and recommendations can use the CloudWatch publishing option. For S3 Storage Lens advanced metrics and recommendations pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). No additional CloudWatch metrics publishing charges apply; however, other CloudWatch charges, such as dashboards, alarms, and API calls, do apply. For more information, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/). S3 Storage Lens metrics are published to CloudWatch in the account that owns the S3 Storage Lens configuration. After you enable the CloudWatch publishing option within advanced metrics, you can access account-level and bucket-level metrics by configuration ID, account, bucket (for bucket-level metrics only), Region, and storage class in CloudWatch. Prefix-level metrics are not available in CloudWatch. **Note** S3 Storage Lens metrics are daily metrics and are published to CloudWatch once per day. When you query S3 Storage Lens metrics in CloudWatch, the period for the query must be 1 day (86400 seconds). After your daily S3 Storage Lens metrics appear in your S3 Storage Lens dashboard in the Amazon S3 console, it can take a few hours for these same metrics to appear in CloudWatch. When you enable the CloudWatch publishing option for S3 Storage Lens metrics for the first time, it can take up to 24 hours for your metrics to publish to CloudWatch. After you enable the CloudWatch publishing option, you can use the following CloudWatch features to monitor and analyze your S3 Storage LensStorage Lens data: + [Dashboards](storage-lens-cloudwatch-monitoring-cloudwatch.md#storage-lens-cloudwatch-monitoring-cloudwatch-dashboards) – Use CloudWatch dashboards to create customized S3 Storage Lens dashboards. Share your CloudWatch dashboard with people who don't have direct access to your AWS account, across teams, with stakeholders, and with people external to your organizations. + [Alarms and triggered actions](storage-lens-cloudwatch-monitoring-cloudwatch.md#storage-lens-cloudwatch-monitoring-cloudwatch-alarms) – Configure alarms that watch metrics and take action when a threshold is breached. For example, you can configure an alarm that sends an Amazon SNS notification when the **Incomplete Multipart Upload Bytes** metric exceeds 1 GB for three consecutive days. + [Anomaly detection](storage-lens-cloudwatch-monitoring-cloudwatch.md#storage-lens-cloudwatch-monitoring-cloudwatch-alarms) – Enable anomaly detection to continuously analyze metrics, determine normal baselines, and surface anomalies. You can create an anomaly detection alarm based on the expected value of a metric. For example, you can monitor anomalies for the **Object Lock Enabled Bytes** metric to detect unauthorized removal of Object Lock settings. + [Metric math](storage-lens-cloudwatch-monitoring-cloudwatch.md#storage-lens-cloudwatch-monitoring-cloudwatch-metric-math) – You can also use metric math to query multiple S3 Storage Lens metrics and use math expressions to create new time series based on these metrics. For example, you can create a new metric to get the average object size by dividing `StorageBytes` by `ObjectCount`. For more information about the CloudWatch publishing option for S3 Storage Lens metrics, see the following topics. **Topics** + [ # S3 Storage Lens metrics and dimensions ](storage-lens-cloudwatch-metrics-dimensions.md) + [ # Enabling CloudWatch publishing for S3 Storage Lens ](storage-lens-cloudwatch-enable-publish-option.md) + [ # Working with S3 Storage Lens metrics in CloudWatch ](storage-lens-cloudwatch-monitoring-cloudwatch.md) # S3 Storage Lens metrics and dimensions To send S3 Storage Lens metrics to CloudWatch, you must enable the CloudWatch publishing option within S3 Storage Lens advanced metrics. After advanced metrics are enabled, you can use [CloudWatch dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html) to monitor S3 Storage Lens metrics alongside other application metrics and create a unified view of your operational health. You can use dimensions to filter your S3 Storage Lens metrics in CloudWatch by organization, account, bucket, storage class, Region, and metrics configuration ID. S3 Storage Lens metrics are published to CloudWatch in the account that owns the S3 Storage Lens configuration. After you enable the CloudWatch publishing option within advanced metrics, you can access account-level and bucket-level metrics by configuration ID, account, bucket (for bucket-level metrics only), Region, and storage class in CloudWatch. Prefix-level metrics are not available in CloudWatch. **Note** S3 Storage Lens metrics are daily metrics and are published to CloudWatch once per day. When you query S3 Storage Lens metrics in CloudWatch, the period for the query must be 1 day (86400 seconds). After your daily S3 Storage Lens metrics appear in your S3 Storage Lens dashboard in the Amazon S3 console, it can take a few hours for these same metrics to appear in CloudWatch. When you enable the CloudWatch publishing option for S3 Storage Lens metrics for the first time, it can take up to 24 hours for your metrics to publish to CloudWatch. For more information about S3 Storage Lens metrics and dimensions in CloudWatch, see the following topics. **Topics** + [ ## Metrics ](#storage-lens-cloudwatch-metrics) + [ ## Dimensions ](#storage-lens-cloudwatch-dimensions) ## Metrics S3 Storage Lens metrics are available as metrics within CloudWatch. S3 Storage Lens metrics are published to the `AWS/S3/Storage-Lens` namespace. This namespace is only for S3 Storage Lens metrics. Amazon S3 bucket, request, and replication metrics are published to the `AWS/S3` namespace. S3 Storage Lens metrics are published to CloudWatch in the account that owns the S3 Storage Lens configuration. After you enable the CloudWatch publishing option within advanced metrics, you can access account-level and bucket-level metrics by configuration ID, account, bucket (for bucket-level metrics only), Region, and storage class in CloudWatch. Prefix-level metrics are not available in CloudWatch. In S3 Storage Lens, metrics are aggregated and stored only in the designated home Region. S3 Storage Lens metrics are also published to CloudWatch in the home Region that you specify in the S3 Storage Lens configuration. For a complete list of S3 Storage Lens metrics, including a list of those metrics available in CloudWatch, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). **Note** The valid statistic for S3 Storage Lens metrics in CloudWatch is Average. For more information about statistics in CloudWatch, see [ CloudWatch statistics definitions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Statistics-definitions.html) in the *Amazon CloudWatch User Guide*. ### Granularity of S3 Storage Lens metrics in CloudWatch S3 Storage Lens offers metrics at organization, account, bucket, and prefix granularity. S3 Storage Lens publishes organization, account, and bucket-level S3 Storage Lens metrics to CloudWatch. Prefix-level S3 Storage Lens metrics are not available in CloudWatch. For more information about the granularity of S3 Storage Lens metrics available in CloudWatch, see the following list: + **Organization** – Metrics aggregated across the member accounts in your organization. S3 Storage Lens publishes metrics for member accounts to CloudWatch in the management account. + **Organization and account** – Metrics for the member accounts in your organization. + **Organization and bucket** – Metrics for Amazon S3 buckets in the member accounts of your organization. + **Account** (Non-organization level) – Metrics aggregated across the buckets in your account. + **Bucket** (Non-organization level) – Metrics for a specific bucket. In CloudWatch, S3 Storage Lens publishes these metrics to the AWS account that created the S3 Storage Lens configuration. S3 Storage Lens publishes these metrics only for non-organization configurations. ## Dimensions When S3 Storage Lens sends data to CloudWatch, dimensions are attached to each metric. Dimensions are categories that describe the characteristics of metrics. You can use dimensions to filter the results that CloudWatch returns. For example, all S3 Storage Lens metrics in CloudWatch have the `configuration_id` dimension. You can use this dimension to differentiate between metrics associated with a specific S3 Storage Lens configuration. The `organization_id` identifies organization-level metrics. For more information about dimensions in CloudWatch, see [Dimensions](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Dimension) in the *CloudWatch User Guide*. Different dimensions are available for S3 Storage Lens metrics depending on the granularity of the metrics. For example, you can use the `organization_id` dimension to filter organization-level metrics by the AWS Organizations ID. However, you can't use this dimension for bucket and account-level metrics. For more information, see [Filtering metrics using dimensions](storage-lens-cloudwatch-monitoring-cloudwatch.md#storage-lens-cloudwatch-monitoring-cloudwatch-dimensions). To see which dimensions are available for your S3 Storage Lens configuration, see the following table. | **Dimension** | **Description** | **Bucket** | **Account** | **Organization** | **Organization and bucket** | **Organization and account** | | --- | --- | --- | --- | --- | --- | --- | | configuration\$1id | The dashboard name for the S3 Storage Lens configuration reported in the metrics | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | | metrics\$1version | The version of the S3 Storage Lens metrics. The metrics version has a fixed value of `1.0`. | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | | organization\$1id | The AWS Organizations ID for the metrics | ![\[No\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-no.png) | ![\[No\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-no.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | | aws\$1account\$1number | The AWS account that's associated with the metrics | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[No\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-no.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | | aws\$1region | The AWS Region for the metrics | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | | bucket\$1name | The name of the S3 bucket that's reported in the metrics | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[No\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-no.png) | ![\[No\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-no.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[No\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-no.png) | | storage\$1class | The storage class for the bucket that's reported in the metrics | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) | | record\$1type | The granularity of the metrics: ORGANIZATION, ACCOUNT, BUCKET | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) BUCKET | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) ACCOUNT | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) BUCKET | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) ACCOUNT | ![\[Yes\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/icon-yes.png) ORGANIZATION | # Enabling CloudWatch publishing for S3 Storage Lens Enabling CloudWatch publishing You can publish S3 Storage Lens metrics to Amazon CloudWatch to create a unified view of your operational health in [CloudWatch dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). You can also use CloudWatch features, such as alarms and triggered actions, metric math, and anomaly detection, to monitor and take action on S3 Storage Lens metrics. In addition, CloudWatch API operations enable applications, including third-party providers, to access your S3 Storage Lens metrics. For more information about CloudWatch features, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html). S3 Storage Lens metrics are published to CloudWatch in the account that owns the S3 Storage Lens configuration. After you enable the CloudWatch publishing option within advanced metrics, you can access account-level and bucket-level metrics by configuration ID, account, bucket (for bucket-level metrics only), Region, and storage class in CloudWatch. Prefix-level metrics are not available in CloudWatch. You can enable CloudWatch support for new or existing dashboard configurations by using the S3 console, Amazon S3 REST APIs, AWS CLI, and AWS SDKs. The CloudWatch publishing option is available for dashboards that are upgraded to S3 Storage Lens advanced metrics and recommendations. For S3 Storage Lens advanced metrics and recommendations pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). No additional CloudWatch metrics publishing charges apply; however, other CloudWatch charges, such as dashboards, alarms, and API calls, do apply. To enable the CloudWatch publishing option for S3 Storage Lens metrics, see the following topics. **Note** S3 Storage Lens metrics are daily metrics and are published to CloudWatch once per day. When you query S3 Storage Lens metrics in CloudWatch, the period for the query must be 1 day (86400 seconds). After your daily S3 Storage Lens metrics appear in your S3 Storage Lens dashboard in the Amazon S3 console, it can take a few hours for these same metrics to appear in CloudWatch. When you enable the CloudWatch publishing option for S3 Storage Lens metrics for the first time, it can take up to 24 hours for your metrics to publish to CloudWatch. Currently, S3 Storage Lens metrics cannot be consumed through CloudWatch streams. ## Using the S3 console When you update an S3 Storage Lens dashboard, you can't change the dashboard name or home Region. You also can't change the scope of the default dashboard, which is scoped to your entire account's storage. **To update an S3 Storage Lens dashboard to enable CloudWatch publishing** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **S3 Storage Lens**, **Dashboards**. 1. Choose the dashboard that you want to edit, and then choose **Edit.** 1. Under **Metrics selection**, choose **Advanced metrics and recommendations**. Advanced metrics and recommendations are available for an additional charge. Advanced metrics and recommendations include a 15-month period for data queries, usage metrics aggregated at the prefix level, activity metrics aggregated by bucket, the CloudWatch publishing option, and contextual recommendations that help you optimize storage costs and apply data-protection best practices. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). 1. Under **Select Advanced metrics and recommendations features**, select **CloudWatch publishing**. **Important** If your configuration enables prefix aggregation for usage metrics, prefix-level metrics will not be published to CloudWatch. Only bucket, account, and organization-level S3 Storage Lens metrics are published to CloudWatch. 1. Choose **Save changes**. **To create a new S3 Storage Lens dashboard that enables CloudWatch support** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. Choose **Create dashboard**. 1. Under **General**, define the following configuration options: 1. For **Dashboard name**, enter your dashboard name. Dashboard names must be fewer than 65 characters and must not contain special characters or spaces. You can't change the dashboard name after you create your dashboard. 1. Choose the **Home Region ** for your dashboard. Metrics for all Regions included in this dashboard scope are stored centrally in the designated home Region. In CloudWatch, S3 Storage Lens metrics are also available in the home Region. You can't change the home Region after you create your dashboard. 1. (Optional) To add tags, choose **Add tag** and enter the tag **Key** and **Value**. **Note** You can add up to 50 tags to your dashboard configuration. 1. Define the scope for your configuration: 1. If you're creating an organization-level configuration, choose the accounts to include in the configuration: **Include all accounts in your configuration** or **Limit the scope to your signed-in account**. **Note** When you create an organization-level configuration that includes all accounts, you can include or exclude only Regions, not buckets. 1. Choose the Regions and buckets that you want S3 Storage Lens to include in the dashboard configuration by doing the following: + To include all Regions, choose **Include Regions and buckets**. + To include specific Regions, clear **Include all Regions**. Under **Choose Regions to include**, choose the Regions that you want S3 Storage Lens to include in the dashboard. + To include specific buckets, clear **Include all buckets**. Under **Choose buckets to include**, choose the buckets that you want S3 Storage Lens to include in the dashboard. **Note** You can choose up to 50 buckets. 1. For **Metrics selection**, choose **Advanced metrics and recommendations**. For more information about advanced metrics and recommendations pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). 1. Under **Advanced metrics and recommendations features**, select the options that you want to enable: + **Advanced metrics** + **CloudWatch publishing** **Important** If you enable prefix aggregation for your S3 Storage Lens configuration, prefix-level metrics will not be published to CloudWatch. Only bucket, account, and organization-level S3 Storage Lens metrics are published to CloudWatch. + **Prefix aggregation** **Note** For more information about advanced metrics and recommendations features, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. If you enabled **Advanced metrics**, select the **Advanced metrics categories** that you want to display in your S3 Storage Lens dashboard: + **Activity metrics** + **Detailed status code metrics** + **Advanced cost optimization metrics** + **Advanced data protection metrics** For more information about metrics categories, see [Metrics categories](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_types). For a complete list of metrics, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). 1. (Optional) Configure your metrics export. For more information about how to configure a metrics export, see step [Using the S3 console](storage_lens_creating_dashboard.md#storage_lens_console_creating). 1. Choose **Create dashboard**. ## Using the AWS CLI The following AWS CLI example enables the CloudWatch publishing option by using a S3 Storage Lens organization-level advanced metrics and recommendations configuration. To use this example, replace the `user input placeholders` with your own information. ``` aws s3control put-storage-lens-configuration --account-id=555555555555 --config-id=your-configuration-id --region=us-east-1 --storage-lens-configuration=file://./config.json config.json { "Id": "SampleS3StorageLensConfiguration", "AwsOrg": { "Arn": "arn:aws:organizations::123456789012:organization/o-abcdefgh" }, "AccountLevel": { "ActivityMetrics": { "IsEnabled":true }, "AdvancedCostOptimizationMetrics": { "IsEnabled":true }, "AdvancedDataProtectionMetrics": { "IsEnabled":true }, "DetailedStatusCodesMetrics": { "IsEnabled":true }, "BucketLevel": { "ActivityMetrics": { "IsEnabled":true }, "AdvancedCostOptimizationMetrics": { "IsEnabled":true }, "DetailedStatusCodesMetrics": { "IsEnabled":true }, "PrefixLevel":{ "StorageMetrics":{ "IsEnabled":true, "SelectionCriteria":{ "MaxDepth":5, "MinStorageBytesPercentage":1.25, "Delimiter":"/" } } } } }, "Exclude": { "Regions": [ "eu-west-1" ], "Buckets": [ "arn:aws:s3:::amzn-s3-demo-source-bucket " ] }, "IsEnabled": true, "DataExport": { "S3BucketDestination": { "OutputSchemaVersion": "V_1", "Format": "CSV", "AccountId": "111122223333", "Arn": "arn:aws:s3:::amzn-s3-demo-destination-bucket", "Prefix": "prefix-for-your-export-destination", "Encryption": { "SSES3": {} } }, "CloudWatchMetrics": { "IsEnabled": true } } } ``` ## Using the AWS SDK for Java ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.AccountLevel; import com.amazonaws.services.s3control.model.ActivityMetrics; import com.amazonaws.services.s3control.model.BucketLevel; import com.amazonaws.services.s3control.model.CloudWatchMetrics; import com.amazonaws.services.s3control.model.Format; import com.amazonaws.services.s3control.model.Include; import com.amazonaws.services.s3control.model.OutputSchemaVersion; import com.amazonaws.services.s3control.model.PrefixLevel; import com.amazonaws.services.s3control.model.PrefixLevelStorageMetrics; import com.amazonaws.services.s3control.model.PutStorageLensConfigurationRequest; import com.amazonaws.services.s3control.model.S3BucketDestination; import com.amazonaws.services.s3control.model.SSES3; import com.amazonaws.services.s3control.model.SelectionCriteria; import com.amazonaws.services.s3control.model.StorageLensAwsOrg; import com.amazonaws.services.s3control.model.StorageLensConfiguration; import com.amazonaws.services.s3control.model.StorageLensDataExport; import com.amazonaws.services.s3control.model.StorageLensDataExportEncryption; import com.amazonaws.services.s3control.model.StorageLensTag; import java.util.Arrays; import java.util.List; import static com.amazonaws.regions.Regions.US_WEST_2; public class CreateAndUpdateDashboard { public static void main(String[] args) { String configurationId = "ConfigurationId"; String sourceAccountId = "Source Account ID"; String exportAccountId = "Destination Account ID"; String exportBucketArn = "arn:aws:s3:::amzn-s3-demo-destination-bucket"; // The destination bucket for your metrics export must be in the same Region as your S3 Storage Lens configuration. String awsOrgARN = "arn:aws:organizations::123456789012:organization/o-abcdefgh"; Format exportFormat = Format.CSV; try { SelectionCriteria selectionCriteria = new SelectionCriteria() .withDelimiter("/") .withMaxDepth(5) .withMinStorageBytesPercentage(10.0); PrefixLevelStorageMetrics prefixStorageMetrics = new PrefixLevelStorageMetrics() .withIsEnabled(true) .withSelectionCriteria(selectionCriteria); BucketLevel bucketLevel = new BucketLevel() .withActivityMetrics(new ActivityMetrics().withIsEnabled(true)) .withAdvancedCostOptimizationMetrics(new AdvancedCostOptimizationMetrics().withIsEnabled(true)) .withAdvancedDataProtectionMetrics(new AdvancedDataProtectionMetrics().withIsEnabled(true)) .withDetailedStatusCodesMetrics(new DetailedStatusCodesMetrics().withIsEnabled(true)) .withPrefixLevel(new PrefixLevel().withStorageMetrics(prefixStorageMetrics)); AccountLevel accountLevel = new AccountLevel() .withActivityMetrics(new ActivityMetrics().withIsEnabled(true)) .withAdvancedCostOptimizationMetrics(new AdvancedCostOptimizationMetrics().withIsEnabled(true)) .withAdvancedDataProtectionMetrics(new AdvancedDataProtectionMetrics().withIsEnabled(true)) .withDetailedStatusCodesMetrics(new DetailedStatusCodesMetrics().withIsEnabled(true)) .withBucketLevel(bucketLevel); Include include = new Include() .withBuckets(Arrays.asList("arn:aws:s3:::amzn-s3-demo-bucket")) .withRegions(Arrays.asList("us-west-2")); StorageLensDataExportEncryption exportEncryption = new StorageLensDataExportEncryption() .withSSES3(new SSES3()); S3BucketDestination s3BucketDestination = new S3BucketDestination() .withAccountId(exportAccountId) .withArn(exportBucketArn) .withEncryption(exportEncryption) .withFormat(exportFormat) .withOutputSchemaVersion(OutputSchemaVersion.V_1) .withPrefix("Prefix"); CloudWatchMetrics cloudWatchMetrics = new CloudWatchMetrics() .withIsEnabled(true); StorageLensDataExport dataExport = new StorageLensDataExport() .withCloudWatchMetrics(cloudWatchMetrics) .withS3BucketDestination(s3BucketDestination); StorageLensAwsOrg awsOrg = new StorageLensAwsOrg() .withArn(awsOrgARN); StorageLensConfiguration configuration = new StorageLensConfiguration() .withId(configurationId) .withAccountLevel(accountLevel) .withInclude(include) .withDataExport(dataExport) .withAwsOrg(awsOrg) .withIsEnabled(true); List tags = Arrays.asList( new StorageLensTag().withKey("key-1").withValue("value-1"), new StorageLensTag().withKey("key-2").withValue("value-2") ); AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.putStorageLensConfiguration(new PutStorageLensConfigurationRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) .withStorageLensConfiguration(configuration) .withTags(tags) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` ## Using the REST API To enable the CloudWatch publishing option by using the Amazon S3 REST API, you can use [https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutStorageLensConfiguration.html](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutStorageLensConfiguration.html). **Next steps** After you enable the CloudWatch publishing option, you can access your S3 Storage Lens metrics in CloudWatch. You also can leverage CloudWatch features to monitor and analyze your S3 Storage Lens data in CloudWatch. For more information, see the following topics: + [S3 Storage Lens metrics and dimensions](storage-lens-cloudwatch-metrics-dimensions.md) + [Working with S3 Storage Lens metrics in CloudWatch](storage-lens-cloudwatch-monitoring-cloudwatch.md) # Working with S3 Storage Lens metrics in CloudWatch Using CloudWatch You can publish S3 Storage Lens metrics to Amazon CloudWatch to create a unified view of your operational health in [CloudWatch dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html). You can also use CloudWatch features, such as alarms and triggered actions, metric math, and anomaly detection, to monitor and take action on S3 Storage Lens metrics. In addition, CloudWatch API operations enable applications, including third-party providers, to access your S3 Storage Lens metrics. For more information about CloudWatch features, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html). You can enable the CloudWatch publishing option for new or existing dashboard configurations by using the Amazon S3 console, Amazon S3 REST APIs, AWS CLI, and AWS SDKs. The CloudWatch publishing option is available for dashboards that are upgraded to S3 Storage Lens advanced metrics and recommendations. For S3 Storage Lens advanced metrics and recommendations pricing, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). No additional CloudWatch metrics publishing charges apply; however, other CloudWatch charges, such as dashboards, alarms, and API calls, do apply. For more information, see [Amazon CloudWatch pricing](https://aws.amazon.com/cloudwatch/pricing/). S3 Storage Lens metrics are published to CloudWatch in the account that owns the S3 Storage Lens configuration. After you enable the CloudWatch publishing option within advanced metrics, you can access account-level and bucket-level metrics by configuration ID, account, bucket (for bucket-level metrics only), Region, and storage class in CloudWatch. Prefix-level metrics are not available in CloudWatch. **Note** S3 Storage Lens metrics are daily metrics and are published to CloudWatch once per day. When you query S3 Storage Lens metrics in CloudWatch, the period for the query must be 1 day (86400 seconds). After your daily S3 Storage Lens metrics appear in your S3 Storage Lens dashboard in the Amazon S3 console, it can take a few hours for these same metrics to appear in CloudWatch. When you enable the CloudWatch publishing option for S3 Storage Lens metrics for the first time, it can take up to 24 hours for your metrics to publish to CloudWatch. Currently, S3 Storage Lens metrics cannot be consumed through CloudWatch streams. For more information about working with S3 Storage Lens metrics in CloudWatch, see the following topics. **Topics** + [ ## Working with CloudWatch dashboards ](#storage-lens-cloudwatch-monitoring-cloudwatch-dashboards) + [ ## Setting alarms, triggering actions, and using anomaly detection ](#storage-lens-cloudwatch-monitoring-cloudwatch-alarms) + [ ## Filtering metrics using dimensions ](#storage-lens-cloudwatch-monitoring-cloudwatch-dimensions) + [ ## Calculating new metrics with metric math ](#storage-lens-cloudwatch-monitoring-cloudwatch-metric-math) + [ ## Using search expressions in graphs ](#storage-lens-cloudwatch-monitoring-cloudwatch-search-expressions) ## Working with CloudWatch dashboards You can use CloudWatch dashboards to monitor S3 Storage Lens metrics alongside other application metrics and create a unified view of your operational health. Dashboards are customizable home pages in the CloudWatch console that you can use to monitor your resources in a single view. CloudWatch has broad permissions control that doesn't support limiting access to a specific set of metrics or dimensions. Users in your account or organization who have access to CloudWatch will have access to metrics for all S3 Storage Lens configurations where the CloudWatch support option is enabled. You can't manage permissions for specific dashboards as you can in S3 Storage Lens. For more information about CloudWatch permissions, see [Managing access permissions to your CloudWatch resources](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/iam-access-control-overview-cw.html) in the *Amazon CloudWatch User Guide*. For more information about using CloudWatch dashboards and configuring permissions, see [Using Amazon CloudWatch dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Dashboards.html) and [Sharing CloudWatch dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html) in the *Amazon CloudWatch User Guide*. ## Setting alarms, triggering actions, and using anomaly detection You can configure CloudWatch alarms that watch S3 Storage Lens metrics in CloudWatch and take action when a threshold is breached. For example, you can configure an alarm that sends an Amazon SNS notification when the **Incomplete Multipart Upload Bytes** metric exceeds 1 GB for three consecutive days. You can also enable anomaly detection to continuously analyze your S3 Storage Lens metrics, determine normal baselines, and surface anomalies. You can create an anomaly detection alarm based on a metric's expected value. For example, you can monitor anomalies for the **Object Lock Enabled Bytes** metric to detect unauthorized removal of Object Lock settings. For more information and examples, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) and [Creating an alarm from a metric on a graph](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create_alarm_metric_graph.html) in the *Amazon CloudWatch User Guide*. ## Filtering metrics using dimensions You can use dimensions to filter S3 Storage Lens metrics in the CloudWatch console. For example, you can filter by `configuration_id`, `aws_account_number`, `aws_region`, `bucket_name`, and more. S3 Storage Lens supports multiple dashboard configurations per account. This means that different configurations can include the same bucket. When these metrics are published to CloudWatch, the bucket will have duplicate metrics within CloudWatch. To view metrics only for a specific S3 Storage Lens configuration in CloudWatch, you can use the `configuration_id` dimension. When you filter by `configuration_id`, you see only the metrics that are associated with the configuration that you identify. For more information about filtering by configuration ID, see [Searching for available metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/finding_metrics_with_cloudwatch.html) in the *Amazon CloudWatch User Guide*. ## Calculating new metrics with metric math You can use metric math to query multiple S3 Storage Lens metrics and use math expressions to create new time series based on these metrics. For example, you can create a new metric for unencrypted objects by subtracting Encrypted Objects from Object Count. You can also create a metric to get the average object size by dividing `StorageBytes` by `ObjectCount` or the number bytes accessed on one day by dividing `BytesDownloaded` by `StorageBytes`. For more information, see [Using metric math](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html) in the *Amazon CloudWatch User Guide*. ## Using search expressions in graphs With S3 Storage Lens metrics, you can create a search expression. For example, you can create a search expression for all metrics that are named **IncompleteMultipartUploadStorageBytes** and add `SUM` to the expression. With this search expression, you can see your total incomplete multipart upload bytes across all dimensions of your storage in a single metric. This example shows the syntax that you would use to create a search expression for all metrics named **IncompleteMultipartUploadStorageBytes**. ``` SUM(SEARCH('{AWS/S3/Storage-Lens,aws_account_number,aws_region,configuration_id,metrics_version,record_type,storage_class} MetricName="IncompleteMultipartUploadStorageBytes"', 'Average',86400)) ``` For more information about this syntax, see [CloudWatch search expression syntax](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/search-expression-syntax.html) in the *Amazon CloudWatch User Guide*. To create a CloudWatch graph with a search expression, see [Creating a CloudWatch graph with a search expression](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create-search-expression.html)in the *Amazon CloudWatch User Guide*. # Amazon S3 Storage Lens metrics use cases You can use your Amazon S3 Storage Lens dashboard to visualize insights and trends, flag outliers, and receive recommendations. S3 Storage Lens metrics are organized into categories that align with key use cases. You can use these metrics to do the following: + Identify cost-optimization opportunities + Apply data-protection best practices + Apply access-management best practices + Improve the performance of application workloads For example, with cost-optimization metrics, you can identify opportunities to reduce your Amazon S3 storage costs. You can identify buckets with multipart uploads that are more than 7-days old or buckets that are accumulating noncurrent versions. Similarly, you can use data-protection metrics to identify buckets that aren't following data-protection best practices within your organization. For example, you can identify buckets that don’t use AWS Key Management Service keys (SSE-KMS) for default encryption or don't have S3 Versioning enabled. With S3 Storage Lens access-management metrics, you can identify bucket settings for S3 Object Ownership so that you can migrate access control list (ACL) permissions to bucket policies and disable ACLs. If you have [S3 Storage Lens advanced metrics](storage_lens_basics_metrics_recommendations.md) enabled, you can use detailed status-code metrics to get counts for successful or failed requests that you can use to troubleshoot access or performance issues. With advanced metrics, you can also access additional cost-optimization and data-protection metrics that you can use to identify opportunities to further reduce your overall S3 storage costs and better align with best practices for protecting your data. For example, advanced cost-optimization metrics include lifecycle rule counts that you can use to identify buckets that don't have lifecycle rules to expire incomplete multipart uploads that are more than 7 days old. Advanced data-protection metrics include replication rule counts. For more information about metrics categories, see [Metrics categories](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_types). For a complete list of S3 Storage Lens metrics, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). **Topics** + [ # Using Amazon S3 Storage Lens to optimize your storage costs ](storage-lens-optimize-storage.md) + [ # Using S3 Storage Lens to protect your data ](storage-lens-data-protection.md) + [ # Using S3 Storage Lens to audit Object Ownership settings ](storage-lens-access-management.md) + [ # Using S3 Storage Lens metrics to improve performance ](storage-lens-detailed-status-code.md) # Using Amazon S3 Storage Lens to optimize your storage costs For cost optimization You can use S3 Storage Lens cost-optimization metrics to reduce the overall cost of your S3 storage. Cost-optimization metrics can help you confirm that you've configured Amazon S3 cost effectively and according to best practices. For example, you can identify the following cost-optimization opportunities: + Buckets with incomplete multipart uploads older than 7 days + Buckets that are accumulating numerous noncurrent versions + Buckets that don't have lifecycle rules to abort incomplete multipart uploads + Buckets that don't have lifecycle rules to expire noncurrent versions objects + Buckets that don't have lifecycle rules to transition objects to a different storage class You can then use this data to add additional lifecycle rules to your buckets. The following examples show how you can use cost- optimization metrics in your S3 Storage Lens dashboard to optimize your storage costs. **Topics** + [ ## Identify your largest S3 buckets ](#identify-largest-s3-buckets) + [ ## Uncover cold Amazon S3 buckets ](#uncover-cold-buckets) + [ ## Locate incomplete multipart uploads ](#locate-incomplete-mpu) + [ ## Reduce the number of noncurrent versions retained ](#reduce-noncurrent-versions-retained) + [ ## Identify buckets that don't have lifecycle rules and review lifecycle rule counts ](#identify-missing-lifecycle-rules) ## Identify your largest S3 buckets You pay for storing objects in S3 buckets. The rate that you're charged depends on your objects' sizes, how long you store the objects, and their storage classes. With S3 Storage Lens, you get a centralized view of all the buckets in your account. To see all the buckets in all of your organization's accounts, you can configure an AWS Organizations-level S3 Storage Lens dashboard. From this dashboard view, you can identify your largest buckets. ### Step 1: Identify your largest buckets 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. When the dashboard opens, you can see the latest date that S3 Storage Lens has collected metrics for. Your dashboard always loads to the latest date that has metrics available. 1. To see a ranking of your largest buckets by the **Total storage** metric for a selected date range, scroll down to the **Top N overview for *date*** section. You can toggle the sort order to show the smallest buckets. You can also adjust the **Metric** selection to rank your buckets by any of the available metrics. The **Top N overview for *date*** section also shows the percentage change from the prior day or week and a spark-line to visualize the trend. This trend is a 14-day trend for free metrics and a 30-day trend for advanced metrics and recommendations. **Note** With S3 Storage Lens advanced metrics and recommendations, metrics are available for queries for 15 months. For more information, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. For more detailed insights about your buckets, scroll up to the top of the page, and then choose the **Bucket** tab. On the **Bucket** tab, you can see details such as the recent growth rate, the average object size, the largest prefixes, and the number of objects. ### Step 2: Navigate to your buckets and investigate After you've identified your largest S3 buckets, you can navigate to each bucket within the S3 console to view the objects in the bucket, understand its associated workload, and identify its internal owners. You can contact the bucket owners to find out whether the growth is expected or whether the growth needs further monitoring and control. ## Uncover cold Amazon S3 buckets If you have [S3 Storage Lens advanced metrics](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection) enabled, you can use [activity metrics](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_types) to understand how cold your S3 buckets are. A "cold" bucket is one whose storage is no longer accessed (or very rarely accessed). This lack of activity typically indicates that the bucket's objects aren't frequently accessed. Activity metrics, such as **GET Requests** and **Download Bytes**, indicate how often your buckets are accessed each day. To understand the consistency of the access pattern and to spot buckets that are no longer being accessed at all, you can trend this data over several months. The **Retrieval rate** metric, which is computed as **Download bytes / Total storage**, indicates the proportion of storage in a bucket that is accessed daily. **Note** Download bytes are duplicated in cases where the same object is downloaded multiple times during the day. **Prerequisite** To see activity metrics in your S3 Storage Lens dashboard, you must enable S3 Storage Lens **Advanced metrics and recommendations** and then select **Activity metrics**. For more information, see [Using the S3 console](storage_lens_editing.md#storage_lens_console_editing). ### Step 1: Identify active buckets 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. 1. Choose the **Bucket** tab, and then scroll down to the **Bubble analysis by buckets for *date*** section. In the **Bubble analysis by buckets for *date*** section, you can plot your buckets on multiple dimensions by using any three metrics to represent the **X-axis**, **Y-axis**, and **Size** of the bubble. 1. To find buckets that have gone cold, for **X-axis**, **Y-axis**, and **Size**, choose the **Total storage**, **% retrieval rate**, and **Average object size** metrics. 1. In the **Bubble analysis by buckets for *date*** section, locate any buckets with retrieval rates of zero (or near zero) and a larger relative storage size, and choose the bubble that represents the bucket. A box will appear with choices for more granular insights. Do one of the following: 1. To update the **Bucket** tab to display metrics only for the selected bucket, choose **Drill down**, and then choose **Apply**. 1. To aggregate your bucket-level data to by account, AWS Region, storage class, or bucket, choose **Analyze by** and then make a choice for **Dimension**. For example, to aggregate by storage class, choose **Storage class** for **Dimension**. To find buckets that have gone cold, do a bubble analysis using the **Total storage**, **% retrieval rate**, and **Average object size** metrics. Look for any buckets with retrieval rates of zero (or near zero) and a larger relative storage size. The **Bucket** tab of your dashboard updates to display data for your selected aggregation or filter. If you aggregated by storage class or another dimension, that new tab opens in your dashboard (for example, the **Storage class** tab). ### Step 2: Investigate cold buckets From here, you can identify the owners of cold buckets in your account or organization and find out if that storage is still needed. You can then optimize costs by configuring [lifecycle expiration configurations](object-lifecycle-mgmt.md) for these buckets or archiving the data in one of the [Amazon Glacier storage classes](https://docs.aws.amazon.com/amazonglacier/latest/dev/introduction.html). To avoid the problem of cold buckets going forward, you can [automatically transition your data by using S3 Lifecycle configurations](lifecycle-configuration-examples.md) for your buckets, or you can enable [auto-archiving with S3 Intelligent-Tiering](archived-objects.md). You can also use step 1 to identify hot buckets. Then, you can ensure that these buckets use the correct [S3 storage class](storage-class-intro.md) to ensure that they serve their requests most effectively in terms of performance and cost. ## Locate incomplete multipart uploads You can use multipart uploads to upload very large objects (up to 50 TB) as a set of parts for improved throughput and quicker recovery from network issues. In cases where the multipart upload process doesn't finish, the incomplete parts remain in the bucket (in an unusable state). These incomplete parts incur storage costs until the upload process is finished, or until the incomplete parts are removed. For more information, see [Uploading and copying objects using multipart upload in Amazon S3](mpuoverview.md). With S3 Storage Lens, you can identify the number of incomplete multipart upload bytes in your account or across your entire organization, including incomplete multipart uploads that are more than 7 days old. For a complete list of incomplete multipart upload metrics, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). As a best practice, we recommend configuring lifecycle rules to expire incomplete multipart uploads that are older than a specific number of days. When you create your lifecycle rule to expire incomplete multipart uploads, we recommend 7 days as a good starting point. ### Step 1: Review overall trends for incomplete multipart uploads 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. 1. In the **Snapshot for *date*** section, under **Metrics categories**, choose **Cost optimization**. The **Snapshot for *date*** section updates to display **Cost optimization** metrics, which include **Incomplete multipart upload bytes greater than 7 days old**. In any chart in your S3 Storage Lens dashboard, you can see metrics for incomplete multipart uploads. You can use these metrics to further assess the impact of incomplete multipart upload bytes on your storage, including their contribution to overall growth trends. You can also drill down to deeper levels of aggregation, using the **Account**, **AWS Region**, **Bucket**, or **Storage class** tabs for a deeper analysis of your data. For an example, see [Uncover cold Amazon S3 buckets](#uncover-cold-buckets). ### Step 2: Identify buckets that have the most incomplete multipart upload bytes but don't have lifecycle rules to abort incomplete multipart uploads **Prerequisite** To see the **Abort incomplete multipart upload lifecycle rule count** metric in your S3 Storage Lens dashboard, you must enable S3 Storage Lens **Advanced metrics and recommendations**, and then select **Advanced cost optimization metrics**. For more information, see [Using the S3 console](storage_lens_editing.md#storage_lens_console_editing). 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. 1. To identify specific buckets that are accumulating incomplete multipart uploads greater than 7 days old, go to the **Top N overview for *date*** section. By default, the **Top N overview for *date*** section displays metrics for the top 3 buckets. You can increase or decrease the number of buckets in the **Top N** field. The **Top N overview for *date*** section also shows the percentage change from the prior day or week and a spark-line to visualize the trend. (This trend is a 14-day trend for free metrics and a 30-day trend for advanced metrics and recommendations.) **Note** With S3 Storage Lens advanced metrics and recommendations, metrics are available for queries for 15 months. For more information, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. For **Metric**, choose **Incomplete multipart upload bytes greater than 7 days old** in the **Cost optimization** category. Under **Top *number* buckets**, you can see the buckets with the most incomplete multipart upload storage bytes that are greater than 7 days old. 1. To view more detailed bucket-level metrics for incomplete multipart uploads, scroll to the top of the page, and then choose the **Bucket** tab. 1. Scroll down to the **Buckets** section. For **Metrics categories**, select **Cost optimization**. Then clear **Summary**. The **Buckets** list updates to display all the available **Cost optimization** metrics for the buckets shown. 1. To filter the **Buckets** list to display only specific cost-optimization metrics, choose the preferences icon (![\[A screenshot that shows the preferences icon in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/preferences.png)). 1. Clear the toggles for all cost-optimization metrics until only **Incomplete multipart upload bytes greater than 7 days old** and **Abort incomplete multipart upload lifecycle rule count** remain selected. 1. (Optional) Under **Page size**, choose the number of buckets to display in the list. 1. Choose **Confirm**. The **Buckets** list updates to display bucket-level metrics for incomplete multipart uploads and lifecycle rule counts. You can use this data to identify buckets that have the most incomplete multipart upload bytes that are greater than 7 days old and are missing lifecycle rules to abort incomplete multipart uploads. Then, you can navigate to these buckets in the S3 console and add lifecycle rules to delete abandoned incomplete multipart uploads. ### Step 3: Add a lifecycle rule to delete incomplete multipart uploads after 7 days To automatically manage incomplete multipart uploads, you can use the S3 console to create a lifecycle configuration to expire incomplete multipart upload bytes from a bucket after a specified number of days. For more information, see [Configuring a bucket lifecycle configuration to delete incomplete multipart uploads](mpu-abort-incomplete-mpu-lifecycle-config.md). ## Reduce the number of noncurrent versions retained When enabled, S3 Versioning retains multiple distinct copies of the same object that you can use to quickly recover data if an object is accidentally deleted or overwritten. If you've enabled S3 Versioning without configuring lifecycle rules to transition or expire noncurrent versions, a large number of previous noncurrent versions can accumulate, which can have storage-cost implications. For more information, see [Retaining multiple versions of objects with S3 Versioning](Versioning.md). ### Step 1: Identify buckets with the most noncurrent object versions 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. 1. In the **Snapshot for *date*** section, under **Metric categories**, choose **Cost optimization**. The **Snapshot for *date*** section updates to display **Cost optimization** metrics, which include the metric for **% noncurrent version bytes**. The **% noncurrent version bytes** metric represents the proportion of your total storage bytes that is attributed to noncurrent versions, within the dashboard scope and for the selected date. **Note** If your **% noncurrent version bytes** is greater than 10 percent of your storage at the account level, you might be storing too many object versions. 1. To identify specific buckets that are accumulating a large number of noncurrent versions: 1. Scroll down to the **Top N overview for *date*** section. For **Top N**, enter the number of buckets that you would like to see data for. 1. For **Metric**, choose **% noncurrent version bytes**. Under **Top *number* buckets**, you can see the buckets (for the number that you specified) with the highest **% noncurrent version bytes**. The **Top N overview for *date*** section also shows the percentage change from the prior day or week and a spark-line to visualize the trend. This trend is a 14-day trend for free metrics and a 30-day trend for advanced metrics and recommendations. **Note** With S3 Storage Lens advanced metrics and recommendations, metrics are available for queries for 15 months. For more information, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. To view more detailed bucket-level metrics for noncurrent object versions, scroll to the top of the page, and then choose the **Bucket** tab. In any chart or visualization in your S3 Storage Lens dashboard, you can drill down to deeper levels of aggregation, using the **Account**, **AWS Region**, **Storage class**, or **Bucket** tabs. For an example, see [Uncover cold Amazon S3 buckets](#uncover-cold-buckets). 1. In the **Buckets** section, for **Metric categories**, select **Cost optimization**. Then, clear **Summary**. You can now see the **% noncurrent version bytes** metric, along with other metrics related to noncurrent versions. ### Step 2: Identify buckets that are missing transition and expiration lifecycle rules for managing noncurrent versions **Prerequisite** To see the **Noncurrent version transition lifecycle rule count** and **Noncurrent version expiration lifecycle rule count** metrics in your S3 Storage Lens dashboard, you must enable S3 Storage Lens **Advanced metrics and recommendations**, and then select **Advanced cost optimization metrics**. For more information, see [Using the S3 console](storage_lens_editing.md#storage_lens_console_editing). 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. 1. In your Storage Lens dashboard, choose the **Bucket ** tab. 1. Scroll down to the **Buckets** section. For **Metrics categories**, select **Cost optimization**. Then clear **Summary**. The **Buckets** list updates to display all the available **Cost optimization** metrics for the buckets shown. 1. To filter the **Buckets** list to display only specific cost-optimization metrics, choose the preferences icon (![\[A screenshot that shows the preferences icon in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/preferences.png)). 1. Clear the toggles for all cost-optimization metrics until only the following remain selected: + **% noncurrent version bytes** + **Noncurrent version transition lifecycle rule count** + **Noncurrent version expiration lifecycle rule count** 1. (Optional) Under **Page size**, choose the number of buckets to display in the list. 1. Choose **Confirm**. The **Buckets** list updates to display metrics for noncurrent version bytes and noncurrent version lifecycle rule counts. You can use this data to identify buckets that have a high percentage of noncurrent version bytes but are missing transition and expiration lifecycle rules. Then, you can navigate to these buckets in the S3 console and add lifecycle rules to these buckets. ### Step 3: Add lifecycle rules to transition or expire noncurrent object versions After you've determined which buckets require further investigation, you can navigate to the buckets within the S3 console and add a lifecycle rule to expire noncurrent versions after a specified number of days. Alternatively, to reduce costs while still retaining noncurrent versions, you can configure a lifecycle rule to transition noncurrent versions to one of the Amazon Glacier storage classes. For more information, see [Specifying a lifecycle rule for a versioning-enabled bucket](lifecycle-configuration-examples.md#lifecycle-config-conceptual-ex6). ## Identify buckets that don't have lifecycle rules and review lifecycle rule counts S3 Storage Lens provides S3 Lifecycle rule count metrics that you can use to identify buckets that are missing lifecycle rules. To find buckets that don't have lifecycle rules, you can use the **Total buckets without lifecycle rules** metric. A bucket with no S3 Lifecycle configuration might have storage that you no longer need or can migrate to a lower-cost storage class. You can also use lifecycle rule count metrics to identify buckets that are missing specific types of lifecycle rules, such as expiration or transition rules. **Prerequisite** To see lifecycle rule count metrics and the **Total buckets without lifecycle rules** metric in your S3 Storage Lens dashboard, you must enable S3 Storage Lens **Advanced metrics and recommendations**, and then select **Advanced cost optimization metrics**. For more information, see [Using the S3 console](storage_lens_editing.md#storage_lens_console_editing). ### Step 1: Identify buckets without lifecycle rules 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. 1. To identify specific buckets without lifecycle rules, scroll down to the **Top N overview for *date*** section. By default, the **Top N overview for *date*** section displays metrics for the top 3 buckets. In the **Top N** field, you can increase the number of buckets. The **Top N overview for *date*** section also shows the percentage change from the prior day or week and a spark-line to visualize the trend. This trend is a 14-day trend for free metrics and a 30-day trend for advanced metrics and recommendations. **Note** With S3 Storage Lens advanced metrics and recommendations, metrics are available for queries for 15 months. For more information, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. For **Metric**, choose **Total buckets without lifecycle rules** from the **Cost optimization** category. 1. Review the following data for **Total buckets without lifecycle rules**: + **Top *number* accounts** ‐ See which accounts that have the most buckets without lifecycle rules. + **Top *number* Regions** ‐ View a breakdown of buckets without lifecycle rules by Region. + **Top *number* buckets** ‐ See which buckets don't have lifecycle rules. In any chart or visualization in your S3 Storage Lens dashboard, you can drill down to deeper levels of aggregation, using the **Account**, **AWS Region**, **Storage class**, or **Bucket** tabs. For an example, see [Uncover cold Amazon S3 buckets](#uncover-cold-buckets). After you identify which buckets don't have lifecycle rules, you can also review specific lifecycle rule counts for your buckets. ### Step 2: Review lifecycle rule counts for your buckets 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the dashboard that you want to view. 1. In your S3 Storage Lens dashboard, choose the **Bucket** tab. 1. Scroll down to the **Buckets** section. Under **Metrics categories**, select **Cost optimization**. Then clear **Summary**. The **Buckets** list updates to display all the available **Cost optimization** metrics for the buckets shown. 1. To filter the **Buckets** list to display only specific cost-optimization metrics, choose the preferences icon (![\[A screenshot that shows the preferences icon in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/preferences.png)). 1. Clear the toggles for all cost-optimization metrics until only the following remain selected: + **Transition lifecycle rule count** + **Expiration lifecycle rule count** + **Noncurrent version transition lifecycle rule count** + **Noncurrent version expiration lifecycle rule count** + **Abort incomplete multipart upload lifecycle rule count** + **Total lifecycle rule count** 1. (Optional) Under **Page size**, choose the number of buckets to display in the list. 1. Choose **Confirm**. The **Buckets** list updates to display lifecycle rule count metrics for your buckets. You can use this data to identify buckets without lifecycle rules or buckets that are missing specific kinds of lifecycle rules, for example, expiration or transition rules. Then, you can navigate to these buckets in the S3 console and add lifecycle rules to these buckets. ### Step 3: Add lifecycle rules After you've identified buckets with no lifecycle rules, you can add lifecycle rules. For more information, see [Setting an S3 Lifecycle configuration on a bucket](how-to-set-lifecycle-configuration-intro.md) and [Examples of S3 Lifecycle configurations](lifecycle-configuration-examples.md). # Using S3 Storage Lens to protect your data For data protection You can use Amazon S3 Storage Lens data-protection metrics to identify buckets where data-protection best practices haven't been applied. You can use these metrics to take action and apply standard settings that align with best practices for protecting your data across the buckets in your account or organization. For example, you can use data-protection metrics to identify buckets that don't use AWS Key Management Service (AWS KMS) keys (SSE-KMS) for default encryption or requests that use AWS Signature Version 2 (SigV2). The following use cases provide strategies for using your S3 Storage Lens dashboard to identify outliers and apply data-protection best practices across your S3 buckets. **Topics** + [ ## Identify buckets that don't use server-side encryption with AWS KMS for default encryption (SSE-KMS) ](#storage-lens-sse-kms) + [ ## Identify buckets that have S3 Versioning enabled ](#storage-lens-data-protection-versioning) + [ ## Identify requests that use AWS Signature Version 2 (SigV2) ](#storage-lens-data-protection-sigv) + [ ## Count the total number of replication rules for each bucket ](#storage-lens-data-protection-replication-rule) + [ ## Identify percentage of Object Lock bytes ](#storage-lens-data-protection-object-lock) ## Identify buckets that don't use server-side encryption with AWS KMS for default encryption (SSE-KMS) Identify buckets that don't use SSE-KMS for default encryption With Amazon S3 default encryption, you can set the default encryption behavior for an S3 bucket. For more information, see [Setting default server-side encryption behavior for Amazon S3 buckets](bucket-encryption.md). You can use the **SSE-KMS enabled bucket count** and **% SSE-KMS enabled buckets** metrics to identify buckets that use server-side encryption with AWS KMS keys (SSE-KMS) for default encryption. S3 Storage Lens also provides metrics for unencrypted bytes, unencrypted objects, encrypted bytes, and encrypted objects. For a complete list of metrics, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). You can analyze SSE-KMS encryption metrics in the context of general encryption metrics to identify buckets that don't use SSE-KMS. If you want to use SSE-KMS for all the buckets in your account or organization, you can then update the default encryption settings for these buckets to use SSE-KMS. In addition to SSE-KMS, you can use server-side encryption with Amazon S3 managed keys (SSE-S3) or customer-provided keys (SSE-C). For more information, see [Protecting data with encryption](UsingEncryption.md). ### Step 1: Identify which buckets are using SSE-KMS for default encryption 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In the **Trends and distributions** section, choose **% SSE-KMS enabled bucket count** for the primary metric and **% encrypted bytes** for the secondary metric. The **Trend for *date*** chart updates to display trends for SSE-KMS and encrypted bytes. 1. To view more granular, bucket-level insights for SSE-KMS: 1. Choose a point on the chart. A box will appear with choices for more granular insights. 1. Choose the **Buckets** dimension. Then choose **Apply**. 1. In the **Distribution by buckets for *date*** chart, choose the **SSE-KMS enabled bucket count** metric. 1. You can now see which buckets have SSE-KMS enabled and which do not. ### Step 2: Update bucket default encryption settings Now that you've determined which buckets use SSE-KMS in the context of your **% encrypted bytes**, you can identify buckets that don't use SSE-KMS. You can then optionally navigate to these buckets within the S3 console and update their default encryption settings to use SSE-KMS or SSE-S3. For more information, see [Configuring default encryption](default-bucket-encryption.md). ## Identify buckets that have S3 Versioning enabled When enabled, the S3 Versioning feature retains multiple versions of the same object that can be used to quickly recover data if an object is accidentally deleted or overwritten. You can use the **Versioning-enabled bucket count** metric to see which buckets use S3 Versioning. Then, you can take action in the S3 console to enable S3 Versioning for other buckets. ### Step 1: Identify buckets that have S3 Versioning enabled 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In the **Trends and distributions** section, choose **Versioning-enabled bucket count** for the primary metric and **Buckets** for the secondary metric. The **Trend for *date*** chart updates to display trends for S3 Versioning enabled buckets. Right below the trends line, you can see the **Storage class distribution** and **Region distribution** subsections. 1. To view more granular insights for any of the buckets that you see in the **Trend for *date*** chart so that you can perform a deeper analysis, do the following: 1. Choose a point on the chart. A box will appear with choices for more granular insights. 1. Choose a dimension to apply to your data for deeper analysis: **Account**, **AWS Region**, **Storage class**, or **Bucket**. Then choose **Apply**. 1. In the **Bubble analysis by buckets for *date*** section, choose the **Versioning-enabled bucket count**, **Buckets**, and **Active buckets** metrics. The **Bubble analysis by buckets for *date*** section updates to display data for the metrics that you selected. You can use this data to see which buckets have S3 Versioning enabled in the context of your total bucket count. In the **Bubble analysis by buckets for *date*** section, you can plot your buckets on multiple dimensions by using any three metrics to represent the **X-axis**, **Y-axis**, and **Size** of the bubble. ### Step 2: Enable S3 Versioning After you've identified buckets that have S3 Versioning enabled, you can identify buckets that have never had S3 Versioning enabled or are versioning suspended. Then, you can optionally enable versioning for these buckets in the S3 console. For more information, see [Enabling versioning on buckets](manage-versioning-examples.md). ## Identify requests that use AWS Signature Version 2 (SigV2) You can use the **All unsupported signature requests** metric to identify requests that use AWS Signature Version 2 (SigV2). This data can help you identify specific applications that are using SigV2. You can then migrate these applications to AWS Signature Version 4 (SigV4). SigV4 is the recommended signing method for all new S3 applications. SigV4 provides improved security and is supported in all AWS Regions. For more information, see [Amazon S3 update - SigV2 deprecation period extended & modified](https://aws.amazon.com/blogs/aws/amazon-s3-update-sigv2-deprecation-period-extended-modified/). **Prerequisite** To see **All unsupported signature requests** in your S3 Storage Lens dashboard, you must enable S3 Storage Lens **Advanced metrics and recommendations** and then select **Advanced data protection metrics**. For more information, see [Using the S3 console](storage_lens_editing.md#storage_lens_console_editing). ### Step 1: Examine SigV2 signing trends by AWS account, Region, and bucket 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. To identify specific buckets, accounts, and Regions with requests that use SigV2: 1. Under **Top N overview for *date***, in **Top N**, enter the number of buckets that you would like to see data for. 1. For **Metric**, choose **All unsupported signature requests** from the **Data protection** category. The **Top N overview for *date*** updates to display data for SigV2 requests by account, AWS Region, and bucket. The **Top N overview for *date*** section also shows the percentage change from the prior day or week and a spark-line to visualize the trend. This trend is a 14-day trend for free metrics and a 30-day trend for advanced metrics and recommendations. **Note** With S3 Storage Lens advanced metrics and recommendations, metrics are available for queries for 15 months. For more information, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). ### Step 2: Identify buckets that are accessed by applications through SigV2 requests 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In your Storage Lens dashboard, choose the **Bucket** tab. 1. Scroll down to the **Buckets** section. Under **Metrics categories**, choose **Data protection**. Then clear **Summary**. The **Buckets** list updates to display all the available **Data protection** metrics for the buckets shown. 1. To filter the **Buckets** list to display only specific data-protection metrics, choose the preferences icon (![\[A screenshot that shows the preferences icon in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/preferences.png)). 1. Clear the toggles for all data-protection metrics until only the following metrics remain selected: + **All unsupported signature requests** + **% all unsupported signature requests** 1. (Optional) Under **Page size**, choose the number of buckets to display in the list. 1. Choose **Confirm**. The **Buckets** list updates to display bucket-level metrics for SigV2 requests. You can use this data to identify specific buckets that have SigV2 requests. Then, you can use this information to migrate your applications to SigV4. For more information, see [Authenticating Requests (AWS Signature Version 4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) in the *Amazon Simple Storage Service API Reference*. ## Count the total number of replication rules for each bucket S3 Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Buckets that are configured for object replication can be owned by the same AWS account or by different accounts. For more information, see [Replicating objects within and across Regions](replication.md). You can use S3 Storage Lens replication rule count metrics to get detailed per-bucket information about your buckets that are configured for replication. This information includes replication rules within and across buckets and Regions. **Prerequisite** To see replication rule count metrics in your S3 Storage Lens dashboard, you must enable S3 Storage Lens **Advanced metrics and recommendations** and then select **Advanced data protection metrics**. For more information, see [Using the S3 console](storage_lens_editing.md#storage_lens_console_editing). ### Step 1: Count the total number of replication rules for each bucket 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In your Storage Lens dashboard, choose the **Bucket** tab. 1. Scroll down to the **Buckets** section. Under **Metrics categories**, choose **Data protection**. Then clear **Summary**. 1. To filter the **Buckets** list to display only replication rule count metrics, choose the preferences icon (![\[A screenshot that shows the preferences icon in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/preferences.png)). 1. Clear the toggles for all data-protection metrics until only the replication rule count metrics remain selected: + **Same-Region Replication rule count** + **Cross-Region Replication rule count** + **Same-account replication rule count** + **Cross-account replication rule count** + **Total replication rule count** 1. (Optional) Under **Page size**, choose the number of buckets to display in the list. 1. Choose **Confirm**. ### Step 2: Add replication rules After you have a per-bucket replication rule count, you can optionally create additional replication rules. For more information, see [Examples for configuring live replication](replication-example-walkthroughs.md). ## Identify percentage of Object Lock bytes With S3 Object Lock, you can store objects by using a *write-once-read-many (WORM)* model. You can use Object Lock to help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely. You can enable Object Lock only when you create a bucket and also enable S3 Versioning. However, you can edit the retention period for individual object versions or apply legal holds for buckets that have Object Lock enabled. For more information, see [Locking objects with Object Lock](object-lock.md). You can use Object Lock metrics in S3 Storage Lens to see the **% Object Lock bytes** metric for your account or organization. You can use this information to identify buckets in your account or organization that aren't following your data-protection best practices. 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In the **Snapshot** section, under **Metrics categories**, choose **Data protection**. The **Snapshot** section updates to display data-protection metrics, including the **% Object Lock bytes** metric. You can see the overall percentage of Object Lock bytes for your account or organization. 1. To see the **% Object Lock bytes** per bucket, scroll down to the **Top N overview** section. To get object-level data for Object Lock, you can also use the **Object Lock object count** and **% Object Lock objects** metrics. 1. For **Metric**, choose **% Object Lock bytes** from the **Data protection** category. By default, the **Top N overview for *date*** section displays metrics for the top 3 buckets. In the **Top N** field, you can increase the number of buckets. The **Top N overview for *date*** section also shows the percentage change from the prior day or week and a spark-line to visualize the trend. This trend is a 14-day trend for free metrics and a 30-day trend for advanced metrics and recommendations. **Note** With S3 Storage Lens advanced metrics and recommendations, metrics are available for queries for 15 months. For more information, see [Metrics selection](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection). 1. Review the following data for **% Object Lock bytes**: + **Top *number* accounts** ‐ See which accounts have the highest and lowest **% Object Lock bytes**. + **Top *number* Regions** ‐ View a breakdown of **% Object Lock bytes** by Region. + **Top *number* buckets** ‐ See which buckets have the highest and lowest **% Object Lock bytes**. # Using S3 Storage Lens to audit Object Ownership settings For Object Ownership Amazon S3 Object Ownership is an S3 bucket-level setting that you can use to disable access control lists (ACLs) and control ownership of the objects in your bucket. If you set Object Ownership to bucket owner enforced, you can disable [access control lists (ACLs)](acl-overview.md) and take ownership of every object in your bucket. This approach simplifies access management for data stored in Amazon S3. By default, when another AWS account uploads an object to your S3 bucket, that account (the object writer) owns the object, has access to it, and can grant other users access to it through ACLs. You can use Object Ownership to change this default behavior. A majority of modern use cases in Amazon S3 no longer require the use of ACLs. Therefore, we recommend that you disable ACLs, except in circumstances where you must control access for each object individually. By setting Object Ownership to bucket owner enforced, you can disable ACLs and rely on policies for access control. For more information, see [Controlling ownership of objects and disabling ACLs for your bucket](about-object-ownership.md). With S3 Storage Lens access-management metrics, you can identify buckets that don't have disabled ACLs. After identifying these buckets, you can migrate ACL permissions to policies and disable ACLs for these buckets. **Topics** + [ ## Step 1: Identify general trends for Object Ownership settings ](#storage-lens-access-management-step1) + [ ## Step 2: Identify bucket-level trends for Object Ownership settings ](#storage-lens-access-management-step2) + [ ## Step 3: Update your Object Ownership setting to bucket owner enforced to disable ACLs ](#storage-lens-access-management-step3) ## Step 1: Identify general trends for Object Ownership settings 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In the **Snapshot for *date*** section, under **Metrics categories**, choose **Access management**. The **Snapshot for *date*** section updates to display the **% Object Ownership bucket owner enforced** metric. You can see the overall percentage of buckets in your account or organization that use the bucket owner enforced setting for Object Ownership to disable ACLs. ## Step 2: Identify bucket-level trends for Object Ownership settings 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. To view more detailed bucket-level metrics, choose the **Bucket** tab. 1. In the **Distribution by buckets for *date*** section, choose the **% Object Ownership bucket owner enforced** metric. The chart updates to show a per-bucket breakdown for **% Object Ownership bucket owner enforced**. You can see which buckets use the bucket owner enforced setting for Object Ownership to disable ACLs. 1. To view the bucket owner enforced settings in context, scroll down to the **Buckets** section. For **Metrics categories**, select **Access management**. Then clear **Summary**. The **Buckets** list displays data for all three Object Ownership settings: bucket owner enforced, bucket owner preferred, and object writer. 1. To filter the **Buckets** list to display metrics only for a specific Object Ownership setting, choose the preferences icon (![\[A screenshot that shows the preferences icon in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/preferences.png)). 1. Clear the metrics that you don't want to see. 1. (Optional) Under **Page size**, choose the number of buckets to display in the list. 1. Choose **Confirm**. ## Step 3: Update your Object Ownership setting to bucket owner enforced to disable ACLs After you've identified buckets that use the object writer and bucket owner preferred setting for Object Ownership, you can migrate your ACL permissions to bucket policies. When you've finished migrating your ACL permissions, you can then update your Object Ownership settings to bucket owner enforced in order to disable ACLs. For more information, see [Prerequisites for disabling ACLs](object-ownership-migrating-acls-prerequisites.md). # Using S3 Storage Lens metrics to improve performance For performance If you have [S3 Storage Lens advanced metrics](storage_lens_basics_metrics_recommendations.md#storage_lens_basics_metrics_selection) enabled, you can use detailed status-code metrics to get counts for successful or failed requests. You can use this information to troubleshoot access or performance issues. Detailed status-code metrics show counts for HTTP status codes, such as 403 Forbidden and 503 Service Unavailable. You can examine overall trends for detailed status-code metrics across S3 buckets, accounts, and organizations. Then, you can drill down into bucket-level metrics to identify workloads that are currently accessing these buckets and causing errors. For example, you can look at the **403 Forbidden error count** metric to identify workloads that are accessing buckets without the correct permissions applied. After you've identified these workloads, you can do a deep dive outside of S3 Storage Lens to troubleshoot your 403 Forbidden errors. This example shows you how to do a trend analysis for the 403 Forbidden error by using the **403 Forbidden error count** and the **% 403 Forbidden errors** metrics. You can use these metrics to identify workloads that are accessing buckets without the correct permissions applied. You can do a similar trend analysis for any of the other **Detailed status code metrics**. For more information, see [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md). **Prerequisite** To see **Detailed status code metrics** in your S3 Storage Lens dashboard, you must enable S3 Storage Lens **Advanced metrics and recommendations**, and then select **Detailed status code metrics**. For more information, see [Using the S3 console](storage_lens_editing.md#storage_lens_console_editing). **Topics** + [ ## Step 1: Do a trend analysis for an individual HTTP status code ](#storage-lens-detailed-status-code-step1) + [ ## Step 2: Analyze error counts by bucket ](#storage-lens-detailed-status-code-step2) + [ ## Step 3: Troubleshoot errors ](#storage-lens-detailed-status-code-step3) ## Step 1: Do a trend analysis for an individual HTTP status code 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In the **Trends and distributions** section, for **Primary metric**, choose **403 Forbidden error count** from the **Detailed status codes** category. For **Secondary metric**, choose **% 403 Forbidden errors**. 1. Scroll down to the **Top N overview for *date*** section. For **Metrics**, choose **403 Forbidden error count** or **% 403 Forbidden errors** from the **Detailed status codes** category. The **Top N overview for *date*** section updates to display the top 403 Forbidden error counts by account, AWS Region, and bucket. ## Step 2: Analyze error counts by bucket 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, **Dashboards**. 1. In the **Dashboards** list, choose the name of the dashboard that you want to view. 1. In your Storage Lens dashboard, choose the **Bucket** tab. 1. Scroll down to the **Buckets** section. For **Metrics categories**, select **Detailed status code** metrics. Then clear **Summary**. The **Buckets** list updates to display all the available detailed status code metrics. You can use this information to see which buckets have a large proportion of certain HTTP status codes and which status codes are common across buckets. 1. To filter the **Buckets** list to display only specific detailed status-code metrics, choose the preferences icon (![\[A screenshot that shows the preferences icon in the S3 Storage Lens dashboard.\]](http://docs.aws.amazon.com/AmazonS3/latest/userguide/images/preferences.png)). 1. Clear the toggles for any detailed status-code metrics that you don't want to view in the **Buckets** list. 1. (Optional) Under **Page size**, choose the number of buckets to display in the list. 1. Choose **Confirm**. The **Buckets** list displays error count metrics for the number of buckets that you specified. You can use this information to identify specific buckets that are experiencing many errors and troubleshoot errors by bucket. ## Step 3: Troubleshoot errors After you identify buckets with a high proportion of specific HTTP status codes, you can troubleshoot these errors. For more information, see the following: + [Why am I getting a 403 Forbidden error when I try to upload files in Amazon S3? ](https://aws.amazon.com/premiumsupport/knowledge-center/s3-403-forbidden-error/) + [Why am I getting a 403 Forbidden error when I try to modify a bucket policy in Amazon S3?](https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/) + [How do I troubleshoot 403 Forbidden errors from my Amazon S3 bucket where all the resources are from the same AWS account?](https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403-resource-same-account/) + [How do I troubleshoot an HTTP 500 or 503 error from Amazon S3?](https://aws.amazon.com/premiumsupport/knowledge-center/http-5xx-errors-s3/) # Working with S3 Storage Lens data in S3 Tables Working with S3 Tables Amazon S3 Storage Lens can export your storage analytics and insights to S3 Tables, enabling you to query your Storage Lens metrics using SQL with AWS analytics services like Amazon Athena, Amazon EMR, Amazon SageMaker Studio (SMStudio), and other AWS analytics tools. When you configure S3 Storage Lens to export to S3 Tables, your metrics are automatically stored in read-only Apache Iceberg tables in the AWS-managed `aws-s3` table bucket. This integration provides structured data access for querying Storage Lens metrics using standard SQL, analytics integration with AWS analytics services, historical analysis capabilities, and cost optimization with no additional charges for exporting to AWS-managed S3 Tables. **Topics** + [ # Exporting S3 Storage Lens metrics to S3 Tables ](storage-lens-s3-tables-export.md) + [ # Table naming for S3 Storage Lens export to S3 Tables ](storage-lens-s3-tables-naming.md) + [ # Understanding S3 Storage Lens table schemas ](storage-lens-s3-tables-schemas.md) + [ # Permissions for S3 Storage Lens tables ](storage-lens-s3-tables-permissions.md) + [ # Querying S3 Storage Lens data with analytics tools ](storage-lens-s3-tables-querying.md) + [ # Using AI assistants with S3 Storage Lens tables ](storage-lens-s3-tables-ai-tools.md) # Exporting S3 Storage Lens metrics to S3 Tables Exporting metrics to S3 Tables You can configure Amazon S3 Storage Lens to export your storage analytics and insights to S3 Tables. When you enable S3 Tables export, your metrics are automatically stored in read-only Apache Iceberg tables in the AWS-managed `aws-s3` table bucket, making them queryable using SQL with AWS analytics services like Amazon Athena, Amazon Redshift, and Amazon EMR. **Note** There is no additional charge for exporting S3 Storage Lens metrics to AWS-managed S3 Tables. Standard charges apply for table storage, table management, and requests on the tables. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing). ## Enable S3 Tables export using the console 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens**, and then choose **Storage Lens Dashboards**. 1. In **Storage Lens Dashboards** list, choose the dashboard that you want to edit. 1. Choose **Edit**. 1. On the **Dashboard** page, navigate to **Metrics export and publishing** section. 1. To enable Table Export for **Default metrics report**, select **Table bucket** in the Bucket type. 1. To enable Table Export for **Expanded prefixes metrics report**, select **Table bucket** in the Bucket type. 1. Review dashboard config and click **Submit**. **Note** After you enable S3 Tables export, it can take up to 48 hours for the first data to be available in the tables. **Note** There is no additional charge for exporting S3 Storage Lens metrics to AWS-managed S3 Tables. Standard charges apply for table storage, table management, requests on the tables, and monitoring. You can enable or disable export to S3 Tables by using the Amazon S3 console, Amazon S3 API, the AWS CLI, or AWS SDKs. **Note** By default, records in your S3 tables don't expire. To help minimize storage costs for your tables, you can enable and configure record expiration for the tables. With this option, Amazon S3 automatically removes records from a table when the records expire. See: [Record expiration for tables.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-record-expiration.html) ## Enable S3 Tables export using the AWS CLI **Note** Before running the following commands, make sure that you have an up to date CLI version. See [Installing or updating to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). The following example enables S3 Tables export for an S3 Storage Lens configuration "Default metrics report" using the AWS CLI. To use this example, replace the *user input placeholders* with your own information. ``` aws s3control put-storage-lens-configuration --account-id=555555555555 --config-id=your-configuration-id --storage-lens-configuration '{ "Id":"your-configuration-id", "AccountLevel":{ "ActivityMetrics":{ "IsEnabled":true }, "BucketLevel":{ "ActivityMetrics":{ "IsEnabled":true } } }, "DataExport":{ "S3BucketDestination":{ "OutputSchemaVersion":"V_1", "Format":"CSV", "AccountId":"555555555555", "Arn":"arn:aws:s3:::my-export-bucket", "Prefix":"storage-lens-exports/" }, "StorageLensTableDestination":{ "IsEnabled":true } }, "IsEnabled":true }' ``` ## Enable S3 Tables export using the AWS SDKs The following example enables S3 Tables export for an S3 Storage Lens configuration "Default metrics report" using the AWS SDK for Python (Boto3). To use this example, replace the *user input placeholders* with your own information. ``` import boto3 s3control = boto3.client('s3control') response = s3control.put_storage_lens_configuration( AccountId='555555555555', ConfigId='your-configuration-id', StorageLensConfiguration={ 'Id': 'your-configuration-id', 'AccountLevel': { 'ActivityMetrics': { 'IsEnabled': True }, 'BucketLevel': { 'ActivityMetrics': { 'IsEnabled': True } } }, 'DataExport': { 'S3BucketDestination': { 'OutputSchemaVersion': 'V_1', 'Format': 'CSV', 'AccountId': '555555555555', 'Arn': 'arn:aws:s3:::my-export-bucket', 'Prefix': 'storage-lens-exports/' }, 'StorageLensTableDestination': { 'IsEnabled': True } }, 'IsEnabled': True } ) ``` For more information about using the AWS SDKs, see [AWS SDKs and tools](https://aws.amazon.com/developer/tools/). ## Next steps After enabling S3 Tables export, you can: + Learn about [Table naming for S3 Storage Lens export to S3 Tables](storage-lens-s3-tables-naming.md) + Learn about [Understanding S3 Storage Lens table schemas](storage-lens-s3-tables-schemas.md) # Table naming for S3 Storage Lens export to S3 Tables Table naming conventions When you export S3 Storage Lens metrics to S3 Tables, the tables are organized using Apache Iceberg catalog conventions with specific naming patterns to ensure compatibility and organization. ## Table location structure The complete table location follows this pattern: ``` s3tablescatalog/aws-s3// ``` ### Table bucket name **Table Bucket:** `aws-s3` The S3 Storage Lens export uses the `aws-s3` table bucket, which is the designated bucket for AWS S3-related system tables. ### Catalog name **Catalog:** `s3tablescatalog/aws-s3` S3 Storage Lens tables are stored in the S3 catalog because Storage Lens provides insights about three types of S3 resources: + Storage metrics + Bucket properties + API usage metrics ## Namespace naming convention Namespaces organize tables within the catalog. For S3 Storage Lens, the namespace is derived from your Storage Lens configuration ID. ### Standard namespace format For Storage Lens configuration IDs without dots (`.`): ``` lens__exp ``` **Example:** If your configuration ID is `my-lens-config`, the namespace will be: ``` lens_my-lens-config_exp ``` ### Namespace format with dot character or uppercase letters handling Storage Lens configuration IDs can contain dots (`.`) or uppercase letters (`A-Z`), but S3 Tables namespaces only support lowercase letters, numbers, hyphens (`-`), and underscores (`_`). When your configuration ID contains dots, they are converted to hyphens, uppercase letters are converted to lower case letters, and a hash suffix is added for uniqueness: ``` lens__exp_<7-char-hash> ``` **Example:** If your configuration ID is `my.LENS.config`, the namespace will be: ``` lens_my-lens-config_exp_a1b2c3d ``` Where `a1b2c3d` is the first 7 characters of the SHA-1 hash of the original configuration ID. ## Complete examples For a Storage Lens configuration with ID `production-metrics`: + **Table Bucket:** `aws-s3` + **Catalog:** `s3tablescatalog/aws-s3` + **Namespace:** `lens_production-metrics_exp` + **Full Path:** `s3tablescatalog/aws-s3/lens_production-metrics_exp/` For a Storage Lens configuration with ID `prod.us.east.metrics`: + **Table Bucket:** `aws-s3` + **Catalog:** `s3tablescatalog/aws-s3` + **Namespace:** `lens_prod-us-east-metrics_exp_f8e9a1b` (with hash) + **Full Path:** `s3tablescatalog/aws-s3/lens_prod-us-east-metrics_exp_f8e9a1b/` ## Table types The following table shows the different types of tables created for S3 Storage Lens exports: | Catalog | Namespace | S3 table name | Description | | --- | --- | --- | --- | | s3tablescatalog/aws-s3 | lens\$1\$1exp[\$1] | default\$1storage\$1metrics | This table contains the storage metrics for your Storage Lens configuration. | | s3tablescatalog/aws-s3 | lens\$1\$1exp[\$1] | default\$1activity\$1metrics | This table contains the activity metrics for your Storage Lens configuration. | | s3tablescatalog/aws-s3 | lens\$1\$1exp[\$1] | expanded\$1prefixes\$1storage\$1metrics | This table contains the storage metrics for all the prefixes in your Storage Lens configuration. | | s3tablescatalog/aws-s3 | lens\$1\$1exp[\$1] | expanded\$1prefixes\$1activity\$1metrics | This table contains the activity metrics for all the prefixes in your Storage Lens configuration. | | s3tablescatalog/aws-s3 | lens\$1\$1exp[\$1] | bucket\$1property\$1metrics | This table contains the bucket property metrics for all the buckets in your Storage Lens configuration. | ## Next steps + Learn about [Understanding S3 Storage Lens table schemas](storage-lens-s3-tables-schemas.md) + Learn about [Permissions for S3 Storage Lens tables](storage-lens-s3-tables-permissions.md) # Understanding S3 Storage Lens table schemas S3 tables schemas When exporting S3 Storage Lens metrics to S3 tables, the data is organized into three separate table schemas: storage metrics, bucket property metrics, and activity metrics. ## Storage metrics table schema Storage metrics table schema | Name | Type | Description | | --- | --- | --- | | version\$1number | string | Version identifier of the schema of the table | | configuration\$1id | string | S3 Storage Lens configuration name | | report\$1time | timestamptz | Date the S3 Storage Lens report refers to | | aws\$1account\$1id | string | Account id the entry refers to | | aws\$1region | string | Region | | storage\$1class | string | Storage Class | | record\$1type | string | Type of record, related to what is the level of aggregation of data. Values: ACCOUNT, BUCKET, PREFIX, STORAGE\$1LENS\$1GROUP\$1BUCKET, STORAGE\$1LENS\$1GROUP\$1ACCOUNT. | | record\$1value | string | Disambiguator for record types that have more than one record under them. It is used to reference the prefix | | bucket\$1name | string | Bucket name | | object\$1count | long | Number of objects stored for the current referenced item | | storage\$1bytes | DECIMAL(38,0) | Number of bytes stored for the current referenced item | | bucket\$1key\$1sse\$1kms\$1object\$1count | long | Number of objects encrypted with a customer managed key stored for the current referenced item | | bucket\$1key\$1sse\$1kms\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes encrypted with a customer managed key stored for the current referenced item | | current\$1version\$1object\$1count | long | Number of current version objects stored for the current referenced item | | current\$1version\$1storage\$1bytes | DECIMAL(38,0) | Number of current version bytes stored for the current referenced item | | delete\$1marker\$1object\$1count | long | Number of delete marker objects stored for the current referenced item | | delete\$1marker\$1storage\$1bytes | DECIMAL(38,0) | Number of delete marker bytes stored for the current referenced item | | encrypted\$1object\$1count | long | Number of encrypted objects stored for the current referenced item | | encrypted\$1storage\$1bytes | DECIMAL(38,0) | Number of encrypted bytes stored for the current referenced item | | incomplete\$1mpu\$1object\$1older\$1than\$17\$1days\$1count | long | Number of incomplete multipart upload objects older than 7 days stored for the current referenced item | | incomplete\$1mpu\$1storage\$1older\$1than\$17\$1days\$1bytes | DECIMAL(38,0) | Number of incomplete multipart upload bytes stored older than 7 days for the current referenced item | | incomplete\$1mpu\$1object\$1count | long | Number of incomplete multipart upload objects stored for the current referenced item | | incomplete\$1mpu\$1storage\$1bytes | DECIMAL(38,0) | Number of incomplete multipart upload bytes stored for the current referenced item | | non\$1current\$1version\$1object\$1count | long | Number of non-current version objects stored for the current referenced item | | non\$1current\$1version\$1storage\$1bytes | DECIMAL(38,0) | Number of non-current version bytes stored for the current referenced item | | object\$1lock\$1enabled\$1object\$1count | long | Number of objects stored for for objects with lock enabled in the current referenced item | | object\$1lock\$1enabled\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes stored for objects with lock enabled in the current referenced item | | replicated\$1object\$1count | long | Number of objects replicated for the current referenced item | | replicated\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes replicated for the current referenced item | | replicated\$1object\$1source\$1count | long | Number of objects replicated as source stored for the current referenced item | | replicated\$1storage\$1source\$1bytes | DECIMAL(38,0) | Number of bytes replicated as source for the current referenced item | | sse\$1kms\$1object\$1count | long | Number of objects encrypted with SSE key stored for the current referenced item | | sse\$1kms\$1storage\$1bytes | DECIMAL(38,0) | Number of bytes encrypted with SSE key stored for the current referenced item | | object\$10kb\$1count | long | Number of objects with sizes equal to 0KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$10kb\$1to\$1128kb\$1count | long | Number of objects with sizes greater than 0KB and less than equal to 128KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1128kb\$1to\$1256kb\$1count | long | Number of objects with sizes greater than 128KB and less than equal to 256KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1256kb\$1to\$1512kb\$1count | long | Number of objects with sizes greater than 256KB and less than equal to 512KB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1512kb\$1to\$11mb\$1count | long | Number of objects with sizes greater than 512KB and less than equal to 1MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$11mb\$1to\$12mb\$1count | long | Number of objects with sizes greater than 1MB and less than equal to 2MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$12mb\$1to\$14mb\$1count | long | Number of objects with sizes greater than 2MB and less than equal to 4MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$14mb\$1to\$18mb\$1count | long | Number of objects with sizes greater than 4MB and less than equal to 8MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$18mb\$1to\$116mb\$1count | long | Number of objects with sizes greater than 8MB and less than equal to 16MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$116mb\$1to\$132mb\$1count | long | Number of objects with sizes greater than 16MB and less than equal to 32MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$132mb\$1to\$164mb\$1count | long | Number of objects with sizes greater than 32MB and less than equal to 64MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$164mb\$1to\$1128mb\$1count | long | Number of objects with sizes greater than 64MB and less than equal to 128MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1128mb\$1to\$1256mb\$1count | long | Number of objects sizes greater than 128MB and less than equal to 256MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1256mb\$1to\$1512mb\$1count | long | Number of objects sizes greater than 256MB and less than equal to 512MB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1512mb\$1to\$11gb\$1count | long | Number of objects sizes greater than 512MB and less than equal to 1GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$11gb\$1to\$12gb\$1count | long | Number of objects sizes greater than 1GB and less than equal to 2GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$12gb\$1to\$14gb\$1count | long | Number of objects sizes greater than 2GB and less than equal to 4GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | | object\$1larger\$1than\$14gb\$1count | long | Number of objects sizes greater than 4GB, including current version, noncurrent versions, incomplete multipart uploads, and delete markers | ## Bucket property metrics table schema Bucket property metrics schema | Name | Type | Description | | --- | --- | --- | | version\$1number | string | Version identifier of the schema of the table | | configuration\$1id | string | S3 Storage Lens configuration name | | report\$1time | timestamptz | Date the S3 Storage Lens report refers to | | aws\$1account\$1id | string | Account id the entry refers to | | record\$1type | string | Type of record, related to what is the level of aggregation of data. Values: ACCOUNT, BUCKET, PREFIX, STORAGE\$1LENS\$1GROUP\$1BUCKET, STORAGE\$1LENS\$1GROUP\$1ACCOUNT. | | record\$1value | string | Disambiguator for record types that have more than one record under them. It is used to reference the prefix. | | aws\$1region | string | Region | | storage\$1class | string | Storage Class | | bucket\$1name | string | Bucket name | | versioning\$1enabled\$1bucket\$1count | long | Number of buckets with versioning enabled for the current referenced item | | mfa\$1delete\$1enabled\$1bucket\$1count | long | Number of buckets with MFA delete enabled for the current referenced item | | sse\$1kms\$1enabled\$1bucket\$1count | long | Number of buckets with KMS enabled for the current referenced item | | object\$1ownership\$1bucket\$1owner\$1enforced\$1bucket\$1count | long | Number of buckets with Object Ownership bucket owner enforced for the current referenced item | | object\$1ownership\$1bucket\$1owner\$1preferred\$1bucket\$1count | long | Number of buckets with Object Ownership bucket owner preferred for the current referenced item | | object\$1ownership\$1object\$1writer\$1bucket\$1count | long | Number of buckets with Object Ownership object writer for the current referenced item | | transfer\$1acceleration\$1enabled\$1bucket\$1count | long | Number of buckets with transfer acceleration enabled for the current referenced item | | event\$1notification\$1enabled\$1bucket\$1count | long | Number of buckets with event notification enabled for the current referenced item | | transition\$1lifecycle\$1rule\$1count | long | Number of transition lifecycle rules for the current referenced item | | expiration\$1lifecycle\$1rule\$1count | long | Number of expiration lifecycle rules for the current referenced item | | non\$1current\$1version\$1transition\$1lifecycle\$1rule\$1count | long | Number of noncurrent version transition lifecycle rules for the current referenced item | | non\$1current\$1version\$1expiration\$1lifecycle\$1rule\$1count | long | Number of noncurrent version expiration lifecycle rules for the current referenced item | | abort\$1incomplete\$1multipart\$1upload\$1lifecycle\$1rule\$1count | long | Number of abort incomplete multipart upload lifecycle rules for the current referenced item | | expired\$1object\$1delete\$1marker\$1lifecycle\$1rule\$1count | long | Number of expire object delete marker lifecycle rules for the current referenced item | | same\$1region\$1replication\$1rule\$1count | long | Number of Same-Region Replication rule count for the current referenced item | | cross\$1region\$1replication\$1rule\$1count | long | Number of Cross-Region Replication rule count for the current referenced item | | same\$1account\$1replication\$1rule\$1count | long | Number of Same-account replication rule count for the current referenced item | | cross\$1account\$1replication\$1rule\$1count | long | Number of Cross-account replication rule count for the current referenced item | | invalid\$1destination\$1replication\$1rule\$1count | long | Number of buckets with Invalid destination replication for the current referenced item | ## Activity metrics table schema Activity metrics schema | Name | Type | Description | | --- | --- | --- | | version\$1number | string | Version identifier of the schema of the table | | configuration\$1id | string | S3 Storage Lens configuration name | | report\$1time | timestamptz | Date the S3 Storage Lens report refers to | | aws\$1account\$1id | string | Account id the entry refers to | | aws\$1region | string | Region | | storage\$1class | string | Storage Class | | record\$1type | string | Type of record, related to what is the level of aggregation of data. Values: ACCOUNT, BUCKET, PREFIX, STORAGE\$1LENS\$1GROUP\$1BUCKET, STORAGE\$1LENS\$1GROUP\$1ACCOUNT. | | record\$1value | string | Disambiguator for record types that have more than one record under them. It is used to reference the prefix | | bucket\$1name | string | Bucket name | | all\$1request\$1count | long | Number of \$1all\$1 requests for the current referenced item | | all\$1sse\$1kms\$1encrypted\$1request\$1count | long | Number of KMS encrypted requests for the current referenced item | | all\$1unsupported\$1sig\$1request\$1count | long | Number of unsupported sig requests for the current referenced item | | all\$1unsupported\$1tls\$1request\$1count | long | Number of unsupported TLS requests for the current referenced item | | bad\$1request\$1error\$1400\$1count | long | Number of 400 bad request errors for the current referenced item | | delete\$1request\$1count | long | Number of delete requests for the current referenced item | | downloaded\$1bytes | decimal(0,0) | Number of downloaded bytes for the current referenced item | | error\$14xx\$1count | long | Number of 4xx errors for the current referenced item | | error\$15xx\$1count | long | Number of 5xx errors for the current referenced item | | forbidden\$1error\$1403\$1count | long | Number of 403 forbidden errors for the current referenced item | | get\$1request\$1count | long | Number of get requests for the current referenced item | | head\$1request\$1count | long | Number of head requests for the current referenced item | | internal\$1server\$1error\$1500\$1count | long | Number of 500 internal server errors for the current referenced item | | list\$1request\$1count | long | Number of list requests for the current referenced item | | not\$1found\$1error\$1404\$1count | long | Number of 404 not found errors for the current referenced item | | ok\$1status\$1200\$1count | long | Number of 200 OK requests for the current referenced item | | partial\$1content\$1status\$1206\$1count | long | Number of 206 partial content requests for the current referenced item | | post\$1request\$1count | long | Number of post requests for the current referenced item | | put\$1request\$1count | long | Number of put requests for the current referenced item | | select\$1request\$1count | long | Number of select requests for the current referenced item | | select\$1returned\$1bytes | decimal(0,0) | Number of bytes returned by select requests for the current referenced item | | select\$1scanned\$1bytes | decimal(0,0) | Number of bytes scanned by select requests for the current referenced item | | service\$1unavailable\$1error\$1503\$1count | long | Number of 503 service unavailable errors for the current referenced item | | uploaded\$1bytes | decimal(0,0) | Number of uploaded bytes for the current referenced item | | average\$1first\$1byte\$1latency | long | Average per-request time between when an S3 bucket receives a complete request and when it starts returning the response, measured over the past 24 hours | | average\$1total\$1request\$1latency | long | Average elapsed per-request time between the first byte received and the last byte sent to an S3 bucket, measured over the past 24 hours | | read\$10kb\$1request\$1count | long | Number of GetObject requests with data sizes of 0KB, including both range-based requests and whole object requests | | read\$10kb\$1to\$1128kb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 0KB and up to 128KB, including both range-based requests and whole object requests | | read\$1128kb\$1to\$1256kb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 128KB and up to 256KB, including both range-based requests and whole object requests | | read\$1256kb\$1to\$1512kb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 256KB and up to 512KB, including both range-based requests and whole object requests | | read\$1512kb\$1to\$11mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 512KB and up to 1MB, including both range-based requests and whole object requests | | read\$11mb\$1to\$12mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 1MB and up to 2MB, including both range-based requests and whole object requests | | read\$12mb\$1to\$14mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 2MB and up to 4MB, including both range-based requests and whole object requests | | read\$14mb\$1to\$18mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 4MB and up to 8MB, including both range-based requests and whole object requests | | read\$18mb\$1to\$116mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 8MB and up to 16MB, including both range-based requests and whole object requests | | read\$116mb\$1to\$132mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 16MB and up to 32MB, including both range-based requests and whole object requests | | read\$132mb\$1to\$164mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 32MB and up to 64MB, including both range-based requests and whole object requests | | read\$164mb\$1to\$1128mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 64MB and up to 128MB, including both range-based requests and whole object requests | | read\$1128mb\$1to\$1256mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 128MB and up to 256MB, including both range-based requests and whole object requests | | read\$1256mb\$1to\$1512mb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 256MB and up to 512MB, including both range-based requests and whole object requests | | read\$1512mb\$1to\$11gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 512MB and up to 1GB, including both range-based requests and whole object requests | | read\$11gb\$1to\$12gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 1GB and up to 2GB, including both range-based requests and whole object requests | | read\$12gb\$1to\$14gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 2GB and up to 4GB, including both range-based requests and whole object requests | | read\$1larger\$1than\$14gb\$1request\$1count | long | Number of GetObject requests with data sizes greater than 4GB, including both range-based requests and whole object requests | | write\$10kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes of 0KB | | write\$10kb\$1to\$1128kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 0KB and up to 128KB | | write\$1128kb\$1to\$1256kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 128KB and up to 256KB | | write\$1256kb\$1to\$1512kb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 256KB and up to 512KB | | write\$1512kb\$1to\$11mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 512KB and up to 1MB | | write\$11mb\$1to\$12mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 1MB and up to 2MB | | write\$12mb\$1to\$14mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 2MB and up to 4MB | | write\$14mb\$1to\$18mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 4MB and up to 8MB | | write\$18mb\$1to\$116mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 8MB and up to 16MB | | write\$116mb\$1to\$132mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 16MB and up to 32MB | | write\$132mb\$1to\$164mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 32MB and up to 64MB | | write\$164mb\$1to\$1128mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 64MB and up to 128MB | | write\$1128mb\$1to\$1256mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 128MB and up to 256MB | | write\$1256mb\$1to\$1512mb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 256MB and up to 512MB | | write\$1512mb\$1to\$11gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 512MB and up to 1GB | | write\$11gb\$1to\$12gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 1GB and up to 2GB | | write\$12gb\$1to\$14gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 2GB and up to 4GB | | write\$1larger\$1than\$14gb\$1request\$1count | long | Number of PutObject, UploadPart, and CreateMultipartUpload requests with data sizes greater than 4GB | | concurrent\$1put\$1503\$1error\$1count | long | Number of 503 errors that are generated due to concurrent writes to the same object | | cross\$1region\$1request\$1count | long | Number of requests that originate from a client in different Region than bucket's home Region | | cross\$1region\$1transferred\$1bytes | decimal(0,0) | Number of bytes that are transferred from calls in different Region than bucket's home Region | | cross\$1region\$1without\$1replication\$1request\$1count | long | Number of requests that originate from a client in different Region than bucket's home Region, excluding cross-region replication requests | | cross\$1region\$1without\$1replication\$1transferred\$1bytes | decimal(0,0) | Number of bytes that are transferred from calls in different Region than bucket's home Region, excluding cross-region replication bytes | | inregion\$1request\$1count | long | Number of requests that originate from a client in same Region as bucket's home Region | | inregion\$1transferred\$1bytes | decimal(0,0) | Number of bytes that are transferred from calls from same Region as bucket's home Region | | unique\$1objects\$1accessed\$1daily\$1count | long | Number of objects that were accessed at least once in last 24 hrs | ## Next steps + Learn about [Permissions for S3 Storage Lens tables](storage-lens-s3-tables-permissions.md) + Start [Querying S3 Storage Lens data with analytics tools](storage-lens-s3-tables-querying.md) + Review the [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md) for detailed metric definitions # Permissions for S3 Storage Lens tables IAM permissions To work with S3 Storage Lens data exported to S3 Tables, you need appropriate AWS Identity and Access Management (IAM) permissions. This topic covers the permissions required for exporting metrics and managing encryption. ## Permissions for metrics export to S3 Tables To create and work with S3 Storage Lens tables and table buckets, you must have certain `s3tables` permissions. At a minimum, to configure S3 Storage Lens to S3 Tables, you must have the following `s3tables` permissions: + `s3tables:CreateTableBucket` – This permission allows you to create an AWS-managed table bucket. All S3 Storage Lens metrics in your account are stored in a single AWS-managed table bucket named `aws-s3`. + `s3tables:PutTableBucketPolicy` – S3 Storage Lens uses this permission to set a table bucket policy that allows `systemtables.s3.amazonaws.com` access to the bucket so that logs can be delivered. **Important** If you remove permissions for the service principal `systemtables.s3.amazonaws.com`, S3 Storage Lens will not be able to update the S3 tables with data based on your configuration. We recommend adding other access control policies in addition to the policy already provided, instead of editing the canned policy that is added when your table bucket is set up. **Note** A separate S3 table for each type of metric export is created for each Storage Lens configuration. If you have multiple Storage Lens configurations in the Region, separate tables are created for additional configurations. For example, there are three types of tables available for your S3 table bucket. ## Permissions for AWS KMS encrypted tables S3 table bucket KMS permissions All data in S3 tables including S3 Storage Lens metrics are encrypted with SSE-S3 encryption by default. You can choose to encrypt your Storage Lens metrics report with AWS KMS keys (SSE-KMS). If you choose to encrypt your S3 Storage Lens metric reports with KMS keys, you must have additional permissions. 1. The user or IAM role needs the following permissions. You can grant these permissions by using the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). + `kms:DescribeKey` on the AWS KMS key used 1. On the key policy for the AWS KMS key, you need the following permissions. You can grant these permissions by using the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms). To use this policy, replace the ` user input placeholders ` with your own information. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "EnableSystemTablesKeyUsage", "Effect": "Allow", "Principal": { "Service": "systemtables.s3.amazonaws.com" }, "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" } } }, { "Sid": "EnableKeyUsage", "Effect": "Allow", "Principal": { "Service": "maintenance.s3tables.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id", "Condition": { "StringLike": { "kms:EncryptionContext:aws:s3:arn": "/*" } } } ] } ``` ## Service-linked role for S3 Storage Lens S3 Storage Lens uses a service-linked role to write metrics to S3 Tables. This role is automatically created when you enable S3 Tables export for the first time in your account. The service-linked role has the following permissions: + `s3tables:CreateTable` - To create tables in the `aws-s3` table bucket + `s3tables:PutTableData` - To write metrics data to tables + `s3tables:GetTable` - To retrieve table metadata You don't need to manually create or manage this service-linked role. For more information about service-linked roles, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html) in the *IAM User Guide*. ## Best practices for permissions Follow these best practices when configuring permissions for S3 Storage Lens tables: + **Use least privilege** - Grant only the permissions required for specific tasks. For example, if users only need to query data, don't grant permissions to modify Storage Lens configurations. + **Use IAM roles** - Use IAM roles instead of long-term access keys for applications and services that access S3 Storage Lens tables. + **Enable AWS CloudTrail** - Enable CloudTrail logging to monitor access to S3 Storage Lens tables and track permission changes. + **Use resource-based policies** - When possible, use resource-based policies to control access to specific tables or namespaces. + **Regularly review permissions** - Periodically review and audit IAM policies and Lake Formation permissions to ensure they follow the principle of least privilege. ## Troubleshooting permissions ### Access denied when enabling S3 Tables export **Problem:** You receive an "access denied" error when trying to enable S3 Tables export. **Solution:** Verify that your IAM user or role has the `s3:PutStorageLensConfiguration` permission and the necessary S3 Tables permissions. ### Access denied when querying tables **Problem:** You receive an "access denied" error when querying S3 Storage Lens tables in Amazon Athena. **Solution:** Verify that: + Analytics integration is enabled on the `aws-s3` table bucket + Lake Formation permissions are correctly configured + Your IAM user or role has the necessary Amazon Athena permissions ### KMS encryption errors **Problem:** You receive KMS-related errors when accessing encrypted tables. **Solution:** Verify that: + Your IAM policy includes the required KMS permissions + The KMS key policy grants permissions to the S3 Storage Lens service principal + The KMS key is in the same Region as your Storage Lens configuration ## Next steps + Learn about [Setting Amazon S3 Storage Lens permissions](storage_lens_iam_permissions.md) + Learn about [Querying S3 Storage Lens data with analytics tools](storage-lens-s3-tables-querying.md) + Learn about [Using AI assistants with S3 Storage Lens tables](storage-lens-s3-tables-ai-tools.md) # Querying S3 Storage Lens data with analytics tools Querying with analytics tools Before you can query S3 Storage Lens data exported to S3 Tables using AWS analytics services like Amazon Athena or Amazon EMR, you must enable analytics integration on the AWS-managed `aws-s3` table bucket and configure AWS Lake Formation permissions. **Important** Enabling analytics integration on the "aws-s3" table bucket is a required step that is often missed. Without this configuration, you will not be able to query your S3 Storage Lens tables using AWS analytics services. ## Prerequisites Before you begin, ensure that you have: + An S3 Storage Lens configuration with S3 Tables export enabled. For more information, see [Exporting S3 Storage Lens metrics to S3 Tables](storage-lens-s3-tables-export.md) . + Access to Amazon Athena or another analytics service. + Waited 24-48 hours after enabling export for the first data to be available. ## Integration overview For detailed information about integrating S3 Tables with AWS analytics services, including prerequisites, IAM role configuration, and step-by-step procedures, see [Integrating Amazon S3 Tables with AWS analytics services.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html) After you enable S3 Tables export and set up analytics integration, you can query your S3 Storage Lens data using AWS analytics services such as Amazon Athena, Amazon Redshift, and Amazon EMR. This enables you to perform custom analysis, create dashboards, and derive insights from your storage data using standard SQL. ## Querying with Amazon Athena Amazon Athena is a serverless interactive query service that makes it easy to analyze data using standard SQL. Use the following steps to query S3 Storage Lens data in Athena. **Note** In all query examples, replace `lens_my-config_exp` with your actual Storage Lens configuration namespace. For more information about namespace naming, see [Table naming for S3 Storage Lens export to S3 Tables](storage-lens-s3-tables-naming.md) . ### Example: Query top storage consumers The following query identifies the top 10 buckets by storage consumption: ``` SELECT bucket_name, storage_class, SUM(storage_bytes) / POWER(1024, 3) AS storage_gb, SUM(object_count) AS objects FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_storage_metrics" WHERE report_time = ( SELECT MAX(report_time) FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_storage_metrics" ) AND record_type = 'BUCKET' AND bucket_name != '' GROUP BY bucket_name, storage_class ORDER BY storage_gb DESC LIMIT 10 ``` ### Example: Analyze storage growth over time The following query analyzes storage growth over the last 30 days: ``` SELECT CAST(report_time AS date) AS report_date, SUM(storage_bytes) / POWER(1024, 3) AS total_storage_gb FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_storage_metrics" WHERE report_time >= current_date - interval '30' day AND record_type = 'ACCOUNT' GROUP BY CAST(report_time AS date) ORDER BY report_date DESC; ``` ### Example: Identify incomplete multipart uploads The following query finds buckets with incomplete multipart uploads older than 7 days: ``` SELECT bucket_name, SUM(incomplete_mpu_storage_older_than_7_days_bytes) / POWER(1024, 3) AS wasted_storage_gb, SUM(incomplete_mpu_object_older_than_7_days_count) AS wasted_objects FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_storage_metrics" WHERE report_time = ( SELECT MAX(report_time) FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_storage_metrics" ) AND record_type = 'BUCKET' AND incomplete_mpu_storage_older_than_7_days_bytes > 0 GROUP BY bucket_name ORDER BY wasted_storage_gb DESC; ``` ### Example: Find cold data candidates The following query identifies prefixes with no activity in the last 100 days that are stored in hot storage tiers: ``` WITH recent_activity AS ( SELECT DISTINCT bucket_name, record_value AS prefix_path FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."expanded_prefixes_activity_metrics" WHERE report_time >= current_date - interval '100' day AND record_type = 'PREFIX' AND all_request_count > 0 ) SELECT s.bucket_name, s.record_value AS prefix_path, s.storage_class, SUM(s.storage_bytes) / POWER(1024, 3) AS storage_gb FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."expanded_prefixes_storage_metrics" s LEFT JOIN recent_activity r ON s.bucket_name = r.bucket_name AND s.record_value = r.prefix_path WHERE s.report_time = ( SELECT MAX(report_time) FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."expanded_prefixes_storage_metrics" ) AND s.record_type = 'PREFIX' AND s.storage_class IN ('STANDARD', 'REDUCED_REDUNDANCY') AND s.storage_bytes > 1073741824 -- > 1GB AND r.prefix_path IS NULL -- No recent activity GROUP BY s.bucket_name, s.record_value, s.storage_class ORDER BY storage_gb DESC LIMIT 20; ``` ### Example: Analyze request patterns The following query analyzes request patterns to understand access frequency: ``` SELECT bucket_name, SUM(all_request_count) AS total_requests, SUM(get_request_count) AS get_requests, SUM(put_request_count) AS put_requests, ROUND(100.0 * SUM(get_request_count) / NULLIF(SUM(all_request_count), 0), 2) AS get_percentage, SUM(downloaded_bytes) / POWER(1024, 3) AS downloaded_gb FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_activity_metrics" WHERE report_time >= current_date - interval '7' day AND record_type = 'BUCKET' AND bucket_name != '' GROUP BY bucket_name HAVING SUM(all_request_count) > 0 ORDER BY total_requests DESC LIMIT 10; ``` ## Querying with Apache Spark on Amazon EMR Amazon EMR provides a managed Hadoop framework that makes it easy to process vast amounts of data using Apache Spark. You can use the Iceberg connector to read S3 Storage Lens tables directly. ### Read S3 Tables with Spark Use the following Python code to read S3 Storage Lens data with Spark: ``` from pyspark.sql import SparkSession spark = SparkSession.builder \ .appName("S3StorageLensAnalysis") \ .config("spark.sql.catalog.s3tablescatalog", "org.apache.iceberg.spark.SparkCatalog") \ .config("spark.sql.catalog.s3tablescatalog.catalog-impl", "org.apache.iceberg.aws.glue.GlueCatalog") \ .getOrCreate() # Read S3 Storage Lens data df = spark.read \ .format("iceberg") \ .load("s3tablescatalog/aws-s3.lens_my-config_exp.default_storage_metrics") # Analyze data df.filter("record_type = 'BUCKET'") \ .groupBy("bucket_name", "storage_class") \ .sum("storage_bytes") \ .orderBy("sum(storage_bytes)", ascending=False) \ .show(10) ``` ## Query optimization best practices Follow these best practices to optimize query performance and reduce costs: + **Filter by report\$1time** – Always include date filters to reduce the amount of data scanned. This is especially important for tables with long retention periods. ``` WHERE report_time >= current_date - interval '7' day ``` + **Use record\$1type filters** – Specify the appropriate aggregation level (ACCOUNT, BUCKET, PREFIX) to query only the data you need. ``` WHERE record_type = 'BUCKET' ``` + **Include LIMIT clauses** – Use LIMIT for exploratory queries to control result size and reduce query costs. ``` LIMIT 100 ``` + **Filter empty records** – Use conditions to exclude empty or zero-value records. ``` WHERE storage_bytes > 0 ``` + **Use the latest data** – When analyzing current state, filter for the most recent report\$1time to avoid scanning historical data. ``` WHERE report_time = (SELECT MAX(report_time) FROM table_name) ``` ### Example optimized query pattern The following query demonstrates best practices for optimization: ``` SELECT bucket_name, SUM(storage_bytes) / POWER(1024, 3) AS storage_gb FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_storage_metrics" WHERE report_time >= current_date - interval '7' day -- Date filter AND record_type = 'BUCKET' -- Record type filter AND storage_bytes > 0 -- Non-empty filter AND bucket_name != '' -- Non-empty filter GROUP BY bucket_name ORDER BY storage_gb DESC LIMIT 100; -- Result limit ``` ## Troubleshooting ### Query returns no results **Problem:** Your query completes successfully but returns no results. **Solution:** + Verify that data is available by checking the latest report\$1time: ``` SELECT MAX(report_time) AS latest_data FROM "s3tablescatalog/aws-s3"."lens_my-config_exp"."default_storage_metrics"; ``` + Ensure that you're using the correct namespace name. Use `SHOW TABLES IN `lens_my-config_exp`;` to list available tables. + Wait 24-48 hours after enabling S3 Tables export for the first data to be available. ### Access denied errors **Problem:** You receive access denied errors when running queries. **Solution:** Verify that AWS Lake Formation permissions are correctly configured. For more information, see [Integrating Amazon S3 Tables with AWS analytics services.](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html) ## Next steps + Learn about [Using AI assistants with S3 Storage Lens tables](storage-lens-s3-tables-ai-tools.md) + Review the [Amazon S3 Storage Lens metrics glossary](storage_lens_metrics_glossary.md) for metric definitions + Explore [Amazon S3 Storage Lens metrics use cases](storage-lens-use-cases.md) for more analysis ideas + Learn about [Amazon Athena](https://docs.aws.amazon.com/athena/latest/ug/what-is.html) for serverless querying # Using AI assistants with S3 Storage Lens tables Using AI assistants You can use AI assistants and conversational AI tools to interact with your S3 Storage Lens data exported to S3 Tables using natural language. By leveraging the Model Context Protocol (MCP) and the MCP Server for Amazon S3 Tables, you can query, analyze, and gain insights from your storage data without writing SQL queries. ## Overview Model Context Protocol (MCP) is a standardized way for AI applications to access and utilize contextual information. The MCP Server for Amazon S3 Tables provides tools that enable AI assistants to interact with your S3 Tables data using natural language interfaces. This democratizes data access and enables individuals across technical skill levels to work with S3 Storage Lens metrics. With the MCP Server for S3 Tables, you can use natural language to: + List S3 table buckets, namespaces, and tables + Query S3 Storage Lens metrics and get insights + Analyze storage trends and patterns + Identify cost optimization opportunities + Generate reports and visualizations ## Supported AI assistants The MCP Server for S3 Tables works with various AI assistants that support the Model Context Protocol, including: + **Kiro** - An AI coding assistant with built-in MCP support + **Amazon Q Developer** - AWS's AI-powered assistant for developers + **Cline** - An AI coding assistant with MCP integration + **Claude Desktop** - Anthropic's desktop application with MCP support + **Cursor** - An AI-powered code editor **Important** AI-generated SQL queries and recommendations should be reviewed and validated before use. Verify that queries are appropriate for your data structure, use case, and performance requirements. Always test recommendations in a non-production environment before implementing them in production. ## Setting up Kiro with S3 Storage Lens tables Kiro is an AI coding assistant that provides seamless integration with S3 Tables through the MCP Server. Kiro can help you install and configure the MCP Server directly through its interface, simplifying the setup process. For more information about Kiro, see [Kiro AI](https://kiro.ai/). ### Prerequisites Before you begin, ensure that you have: + Kiro installed on your system. Download from [https://kiro.ai/](https://kiro.ai/) + AWS CLI configured with appropriate credentials + An S3 Storage Lens configuration with S3 Tables export enabled + Permissions to query S3 Tables. For more information, see [Permissions for S3 Storage Lens tables](storage-lens-s3-tables-permissions.md). ### Step 1: Install the S3 Tables MCP Server You can install the S3 Tables MCP Server in two ways: **Option 1: Using Kiro's built-in MCP server management** Kiro can help you discover and install MCP servers directly through its interface: 1. Open Kiro 1. Access the MCP server management interface (typically through settings or command palette) 1. Search for "S3 Tables" or "awslabs.s3-tables-mcp-server" 1. Follow Kiro's prompts to install and configure the server **Option 2: Manual installation using uvx** Alternatively, you can manually install the MCP Server using `uvx`, a Python package runner: ``` uvx awslabs.s3-tables-mcp-server@latest ``` For more information about installing the MCP Server, see the [AWS S3 Tables MCP Server documentation](https://awslabs.github.io/mcp/servers/s3-tables-mcp-server). ### Step 2: Configure Kiro MCP settings Create or update your Kiro MCP configuration file at `~/.kiro/settings/mcp.json` with the following content: ``` { "mcpServers": { "awslabs.s3-tables-mcp-server": { "command": "uvx", "args": ["awslabs.s3-tables-mcp-server@latest"], "env": { "AWS_PROFILE": "your-aws-profile", "AWS_REGION": "us-east-1" } } } } ``` Replace `your-aws-profile` with your AWS CLI profile name and `us-east-1` with your AWS Region. ### Step 3: Verify the configuration After configuring the MCP Server, restart Kiro and verify that the S3 Tables tools are available. You can check the available MCP servers in Kiro's settings or by asking Kiro to list available tools. ## Example use cases with AI assistants The following examples demonstrate how to use natural language prompts with AI assistants to interact with S3 Storage Lens data. ### Example 1: Query top storage consumers **Prompt:** "Show me the top 10 buckets by storage consumption from my S3 Storage Lens data." The AI assistant will use the MCP Server to query your S3 Storage Lens tables and return the results, including bucket names, storage classes, and storage amounts. ### Example 2: Analyze storage growth **Prompt:** "Analyze my storage growth over the last 30 days and show me the trend." The AI assistant will query the storage metrics table, calculate daily storage totals, and present the growth trend. ### Example 3: Identify cost optimization opportunities **Prompt:** "Find buckets with incomplete multipart uploads older than 7 days that are wasting storage." The AI assistant will query the storage metrics table for incomplete multipart uploads and provide a list of buckets with potential cost savings. ### Example 4: Find cold data candidates **Prompt:** "Identify prefixes with no activity in the last 100 days that are stored in hot storage tiers." The AI assistant will analyze both storage and activity metrics to identify data that could be moved to colder storage tiers for cost optimization. ### Example 5: Generate storage reports **Prompt:** "Create a summary report of my S3 storage showing total storage, object counts, and request patterns for the last week." The AI assistant will query multiple tables, aggregate the data, and generate a comprehensive report. ## Best practices for using AI assistants Follow these best practices when using AI assistants with S3 Storage Lens data: + **Be specific in your prompts** - Provide clear, specific instructions about what data you want to analyze and what insights you're looking for. + **Verify AI-generated queries** - Always review and validate the SQL queries and recommendations that the AI assistant generates before executing them or taking action. AI assistants may occasionally produce incorrect queries or recommendations that need to be verified against your specific use case and data. + **Use appropriate permissions** - Ensure that the IAM credentials used by the AI assistant have only the necessary permissions. For read-only analysis, grant only SELECT permissions. + **Monitor usage** - Track the queries executed by AI assistants using AWS CloudTrail to maintain audit trails. + **Start with simple queries** - Begin with straightforward queries to understand how the AI assistant interprets your prompts, then progress to more complex analysis. ## Logging and traceability When using the S3 Tables MCP Server with AI assistants, you have multiple ways to audit operations: + **Local logs** - The MCP Server logs requests and responses locally. You can specify a log directory using the `--log-dir` configuration option. + **AWS CloudTrail** - All S3 Tables operations via the MCP Server using PyIceberg will have `awslabs/mcp/s3-tables-mcp-server/` as the user agent string. You can filter CloudTrail logs by this user agent to trace actions performed by AI assistants. + **AI assistant history** - AI assistants like Kiro and Cline maintain history logs that record natural language requests, LLM responses, and instructions provided to the MCP Server. ## Security considerations When using AI assistants with S3 Storage Lens data, follow these security best practices: + **Use least privilege access** - Grant AI assistants only the minimum permissions required for their tasks. + **Enable MFA** - Use multi-factor authentication for AWS accounts that AI assistants access. + **Review permissions regularly** - Periodically audit the permissions granted to AI assistants and revoke unnecessary access. + **Use separate credentials** - Consider using separate AWS credentials for AI assistant access to facilitate tracking and auditing. + **Avoid sharing sensitive data** - Be cautious about sharing sensitive information in prompts to AI assistants, especially when using cloud-based AI services. ## Troubleshooting ### AI assistant cannot connect to S3 Tables **Problem:** The AI assistant reports that it cannot connect to S3 Tables or the MCP Server is not responding. **Solution:** + Verify that the MCP Server is correctly installed using `uvx awslabs.s3-tables-mcp-server@latest --version` + Check that your AWS credentials are configured correctly + Ensure that the MCP configuration file has the correct AWS profile and region ### Access denied errors **Problem:** The AI assistant receives access denied errors when querying S3 Storage Lens tables. **Solution:** + Verify that analytics integration is enabled on the `aws-s3` table bucket + Check that Lake Formation permissions are correctly configured + Ensure that the AWS credentials have the necessary IAM permissions ### Incorrect or unexpected results **Problem:** The AI assistant returns incorrect or unexpected results. **Solution:** + Review the SQL query generated by the AI assistant + Verify that you're using the correct namespace name for your Storage Lens configuration + Check that data is available by querying the latest report\$1time + Refine your prompt to be more specific about what you want to analyze ## Additional resources For more information about using AI assistants with S3 Tables, see the following resources: + [Kiro AI](https://kiro.ai/) - AI coding assistant with built-in MCP support + [Implementing conversational AI for S3 Tables using Model Context Protocol (MCP)](https://aws.amazon.com/blogs/storage/implementing-conversational-ai-for-s3-tables-using-model-context-protocol-mcp/) - AWS Storage Blog + [AWS S3 Tables MCP Server documentation](https://awslabs.github.io/mcp/servers/s3-tables-mcp-server) + [Model Context Protocol specification](https://modelcontextprotocol.io/) # Using Amazon S3 Storage Lens with AWS Organizations Working with Organizations Amazon S3 Storage Lens is a cloud-storage analytics feature that you can use to gain organization-wide visibility into object-storage usage and activity. You can use S3 Storage Lens metrics to generate summary insights, such as finding out how much storage you have across your entire organization or which are the fastest-growing buckets and prefixes. You can also use Amazon S3 Storage Lens to collect storage metrics and usage data for all AWS accounts that are part of your AWS Organizations hierarchy. To do this, you must be using AWS Organizations, and you must enable S3 Storage Lens trusted access by using your AWS Organizations management account. After enabling trusted access, add delegated administrator access to accounts in your organization. The delegated administrator accounts are used to create S3 Storage Lens configurations and dashboards that collect organization-wide storage metrics and user data. For more information about enabling trusted access, see [Amazon S3 Storage Lens and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/services-that-can-integrate-s3lens.html) in the *AWS Organizations User Guide*. **Topics** + [ # Enabling trusted access for S3 Storage Lens ](storage_lens_with_organizations_enabling_trusted_access.md) + [ # Disabling trusted access for S3 Storage Lens ](storage_lens_with_organizations_disabling_trusted_access.md) + [ # Registering a delegated administrator for S3 Storage Lens ](storage_lens_with_organizations_registering_delegated_admins.md) + [ # Deregistering a delegated administrator for S3 Storage Lens ](storage_lens_with_organizations_deregistering_delegated_admins.md) # Enabling trusted access for S3 Storage Lens Enabling trusted access By enabling trusted access, you allow Amazon S3 Storage Lens to access your AWS Organizations hierarchy, membership, and structure through AWS Organizations API operations. S3 Storage Lens then becomes a trusted service for your entire organization's structure. Whenever a dashboard configuration is created, S3 Storage Lens creates service-linked roles in your organization's management or delegated administrator accounts. The service-linked role grants S3 Storage Lens permission to perform the following actions: + Describe organizations + List accounts + Verify a list of AWS service access for the organizations + Get delegated administrators for the organizations S3 Storage Lens can then ensure that it has access to collect the cross-account metrics for the accounts in your organization. For more information, see [ Using service-linked roles for Amazon S3 Storage Lens](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-service-linked-roles.html). After enabling trusted access, you can assign delegated administrator access to accounts in your organization. When an account is marked as a delegated administrator for a service, the account receives authorization to access all read-only organization API operations. This access provides the delegated administrator visibility to the members and structures of your organization so that they too can create S3 Storage Lens dashboards. **Note** Trusted access can only be enabled by the [management account](https://docs.aws.amazon.com/managedservices/latest/userguide/management-account.html). Only the management account and delegated administrators can create S3 Storage Lens dashboards or configurations for your organization. # Using the S3 console **To enable S3 Storage Lens to have AWS Organizations trusted access** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. On the left navigation pane, navigate to **Storage Lens**. 1. Choose **AWS Organizations settings**. The **AWS Organizations access for Storage Lens** page displays. 1. Under **AWS Organizations trusted access**, choose **Edit**. The **AWS Organizations access** page displays. 1. Choose **Enable** to enable trusted access for your S3 Storage Lens dashboard. 1. Choose **Save changes**. # Using the AWS CLI **Example** The following example shows you how to enable AWS Organizations trusted access for S3 Storage Lens in AWS CLI. ``` aws organizations enable-aws-service-access --service-principal storage-lens.s3.amazonaws.com ``` # Using the AWS SDK for Java **Example – Enable AWS Organizations trusted access for S3 Storage Lens using SDK for Java** The following example shows you how to enable trusted access for S3 Storage Lens in SDK for Java. To use this example, replace the `user input placeholders` with your own information. ``` import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.organizations.AWSOrganizations; import com.amazonaws.services.organizations.AWSOrganizationsClient; import com.amazonaws.services.organizations.model.EnableAWSServiceAccessRequest; public class EnableOrganizationsTrustedAccess { private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com"; public static void main(String[] args) { try { AWSOrganizations organizationsClient = AWSOrganizationsClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(Regions.US_EAST_1) .build(); organizationsClient.enableAWSServiceAccess(new EnableAWSServiceAccessRequest() .withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL)); } catch (AmazonServiceException e) { // The call was transmitted successfully, but AWS Organizations couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // AWS Organizations couldn't be contacted for a response, or the client // couldn't parse the response from AWS Organizations. e.printStackTrace(); } } } ``` # Disabling trusted access for S3 Storage Lens Disabling trusted access Removing an account as a delegated administrator or disabling trusted access limits the account owner's S3 Storage Lens dashboard metrics to work only on an account level. Each account holder is then only be able to see the benefits of S3 Storage Lens through the limited scope of their account, and not their entire organization. When you disable trusted access in S3 Storage Lens, any dashboards requiring trusted access are no longer updated. Any organizational dashboards that are created are also no longer updated. Instead, you're only able to query [historic data for the S3 Storage Lens dashboard](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_basics_metrics_recommendations.html#storage_lens_basics_data_queries), while the data is still available. **Note** Disabling trusted access for S3 Storage Lens also automatically stops all organization-level dashboards from collecting and aggregating storage metrics. This is because S3 Storage Lens no longer has trusted access to the organization accounts. Your management and delegate administrator accounts can still see the historic data for any disabled dashboards. They can also query this historic data while it is still available. # Using the S3 console **To disable trusted access for S3 Storage Lens** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. On the left navigation pane, navigate to **Storage Lens**. 1. Choose **AWS Organizations settings**. The **AWS Organizations access for Storage Lens** page displays. 1. Under **AWS Organizations trusted access**, choose **Edit**. The **AWS Organizations access** page displays. 1. Choose **Disable** to disable trusted access for your S3 Storage Lens dashboard. 1. Choose **Save changes**. # Using the AWS CLI **Example** The following example disables trusted access for S3 Storage Lens using the AWS CLI. ``` aws organizations disable-aws-service-access --service-principal storage-lens.s3.amazonaws.com ``` # Using the AWS SDK for Java **Example – Disable AWS Organizations trusted access for S3 Storage Lens** The following example shows you how to disable AWS Organizations trusted access for S3 Storage Lens in SDK for Java. To use this example, replace the `user input placeholders` with your own information. ``` import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.organizations.AWSOrganizations; import com.amazonaws.services.organizations.AWSOrganizationsClient; import com.amazonaws.services.organizations.model.DisableAWSServiceAccessRequest; public class DisableOrganizationsTrustedAccess { private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com"; public static void main(String[] args) { try { AWSOrganizations organizationsClient = AWSOrganizationsClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(Regions.US_EAST_1) .build(); // Make sure to remove any existing delegated administrator for S3 Storage Lens // before disabling access; otherwise, the request will fail. organizationsClient.disableAWSServiceAccess(new DisableAWSServiceAccessRequest() .withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL)); } catch (AmazonServiceException e) { // The call was transmitted successfully, but AWS Organizations couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // AWS Organizations couldn't be contacted for a response, or the client // couldn't parse the response from AWS Organizations. e.printStackTrace(); } } } ``` # Registering a delegated administrator for S3 Storage Lens Registering a delegated administrator You can create organization-level dashboards by using your organization’s management account or delegated administrator accounts. Delegated administrator accounts allow other accounts besides your management account to create organization-level dashboards. Only the management account of an organization can register and deregister other accounts as delegated administrators for the organization. After enabling trusted access, you can register delegate administrator access to accounts in your organization by using the AWS Organizations REST API, AWS CLI, or SDKs from the [management account](https://docs.aws.amazon.com/managedservices/latest/userguide/management-account.html). (For more information, see [https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html) in the *AWS Organizations API Reference*.) When an account is registered as a delegated administrator, the account receives authorization to access all read-only AWS Organizations API operations. This provides visibility to the members and structures of your organization so that they can create S3 Storage Lens dashboards on your behalf. **Note** Before you can designate a delegated administrator by using the AWS Organizations REST API, AWS CLI, or SDKs, you must call the [https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html) operation. # Using the S3 console **To register delegated administrators for S3 Storage Lens** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. On the left navigation pane, navigate to **Storage Lens**. 1. Choose **AWS Organizations settings**. 1. Under **Delegated administrators**, choose **Register account**. 1. Add an AWS account ID to register the account as a delegated administrator. The delegated administrator is able to create organization-level dashboards for all accounts and storage in your organization. 1. Choose **Register account**. # Using the AWS CLI **Example** The following example shows you how to register Organizations delegated administrators for S3 Storage Lens using the AWS CLI. To use this example, replace the `user input placeholders` with your own information. ``` aws organizations register-delegated-administrator --service-principal storage-lens.s3.amazonaws.com --account-id 111122223333 ``` # Using the AWS SDK for Java **Example – Register Organizations delegated administrators for S3 Storage Lens** The following example shows you how to register AWS Organizations delegated administrators for S3 Storage Lens in SDK for Java. To use this example, replace the `user input placeholders` with your own information. ``` import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.organizations.AWSOrganizations; import com.amazonaws.services.organizations.AWSOrganizationsClient; import com.amazonaws.services.organizations.model.RegisterDelegatedAdministratorRequest; public class RegisterOrganizationsDelegatedAdministrator { private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com"; public static void main(String[] args) { try { String delegatedAdminAccountId = "111122223333"; // Account Id for the delegated administrator. AWSOrganizations organizationsClient = AWSOrganizationsClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(Regions.US_EAST_1) .build(); organizationsClient.registerDelegatedAdministrator(new RegisterDelegatedAdministratorRequest() .withAccountId(delegatedAdminAccountId) .withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL)); } catch (AmazonServiceException e) { // The call was transmitted successfully, but AWS Organizations couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // AWS Organizations couldn't be contacted for a response, or the client // couldn't parse the response from AWS Organizations. e.printStackTrace(); } } } ``` # Deregistering a delegated administrator for S3 Storage Lens Deregistering a delegated administrator After enabling trusted access, you can also deregister delegate administrator access to accounts in your organization. Delegated administrator accounts allow other accounts besides your [management account](https://docs.aws.amazon.com/managedservices/latest/userguide/management-account.html) to create organization-level dashboards. Only the management account of an organization can deregister accounts as delegated administrators for the organization. You can deregister a delegated administrator by using the AWS Organizations AWS Management Console, REST API, AWS CLI, or AWS SDKS from the management account. For more information, see [https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html) in the *AWS Organizations API Reference*. When an account is deregistered as a delegated administrator, the account loses access to the following: + All read-only AWS Organizations API operations that provide visibility to the members and structures of your organization. + All organization-level dashboards created by the delegated administrator. Deregistering a delegated administrator also automatically stops all organization-level dashboards created by that delegated administrator from aggregating new storage metrics. **Note** The deregistered delegated administrator will still be able to see the historic data for the disabled dashboards that they created if data is still available for querying. # Using the S3 console **To deregister delegated administrators for S3 Storage Lens** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. On the left navigation pane, navigate to **Storage Lens**. 1. Choose **AWS Organizations settings**. 1. Under **Delegated administrators**, choose the account that you wish to deregister. 1. Choose **De-register account**. The deregistered account is no longer a delegated administrator and is now unable to create organization-level dashboards for all accounts and storage in your organization. 1. Choose **Register account**. # Using the AWS CLI **Example** The following example shows you how to deregister Organizations delegated administrators for S3 Storage Lens using the AWS CLI. To use this example, replace `111122223333` with your own AWS account ID. ``` aws organizations deregister-delegated-administrator --service-principal storage-lens.s3.amazonaws.com --account-id 111122223333 ``` # Using the AWS SDK for Java **Example – Deregister Organizations delegated administrators for S3 Storage Lens** The following example shows you how to deregister Organizations delegated administrators for S3 Storage Lens using SDK for Java. To use this example, replace the `user input placeholders` with your own information. ``` import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.regions.Regions; import com.amazonaws.services.organizations.AWSOrganizations; import com.amazonaws.services.organizations.AWSOrganizationsClient; import com.amazonaws.services.organizations.model.DeregisterDelegatedAdministratorRequest; public class DeregisterOrganizationsDelegatedAdministrator { private static final String S3_STORAGE_LENS_SERVICE_PRINCIPAL = "storage-lens.s3.amazonaws.com"; public static void main(String[] args) { try { String delegatedAdminAccountId = "111122223333"; // Account Id for the delegated administrator. AWSOrganizations organizationsClient = AWSOrganizationsClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(Regions.US_EAST_1) .build(); organizationsClient.deregisterDelegatedAdministrator(new DeregisterDelegatedAdministratorRequest() .withAccountId(delegatedAdminAccountId) .withServicePrincipal(S3_STORAGE_LENS_SERVICE_PRINCIPAL)); } catch (AmazonServiceException e) { // The call was transmitted successfully, but AWS Organizations couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // AWS Organizations couldn't be contacted for a response, or the client // couldn't parse the response from AWS Organizations. e.printStackTrace(); } } } ``` # Working with S3 Storage Lens groups to filter and aggregate metrics Working with Storage Lens groups An Amazon S3 Storage Lens group aggregates metrics using custom filters based on object metadata. Storage Lens groups help you drill down into characteristics of your data, such as distribution of objects by age, your most common file types, and more. For example, you can filter metrics by object tag to identify your fastest-growing datasets, or visualize your storage based on object size and age to inform your storage archive strategy. As a result, Amazon S3 Storage Lens groups helps you to better understand and optimize your S3 storage. When you use Storage Lens groups, you can analyze and filter S3 Storage Lens metrics using object metadata such as prefixes, suffixes, [object tags](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html), object size, or object age. You can also apply a combination of these filters. After you attach your Storage Lens group to your S3 Storage Lens dashboard, you can view S3 Storage Lens metrics aggregated by Amazon S3 Storage Lens groups directly in your dashboard. For example, you can also filter your metrics by object size or age bands to determine which portion of your storage consists of small objects. You can then use this information with S3 Intelligent-Tiering or S3 Lifecycle to transition small objects to different storage classes for cost and storage optimization. **Topics** + [ # How S3 Storage Lens groups work ](storage-lens-groups.md) + [ # Using Storage Lens groups ](storage-lens-group-tasks.md) # How S3 Storage Lens groups work How Storage Lens groups work You can use Storage Lens groups to aggregate metrics using custom filters based on object metadata. When you define a custom filter, you can use prefixes, suffixes, object tags, object sizes, object age, or a combination of these custom filters. During Storage Lens group creation, you can also include a single filter or multiple filter conditions. To specify multiple filter conditions, you use `And` or `Or` logical operators. When you create and configure a Storage Lens group, the Storage Lens group itself acts as a custom filter in the dashboard that you attach the group to. In your dashboard, you can then use the Storage Lens group filter to obtain storage metrics based on the custom filter that you defined in the group. To view the data for your Storage Lens group in your S3 Storage Lens dashboard, you must attach the group to the dashboard after you've created the group. After your Storage Lens group is attached to your Storage Lens dashboard, your dashboard will collect storage usage metrics within 48 hours. You can then visualize this data in the Storage Lens dashboard or export it through a metrics export. If you forget to attach a Storage Lens group to a dashboard, your Storage Lens group data won’t be captured or displayed anywhere. **Note** When you create a S3 Storage Lens group, you're creating an AWS resource. Therefore, each Storage Lens group has its own Amazon Resource Name (ARN), which you can specify when [attaching it to or excluding it from a S3 Storage Lens dashboard](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups-dashboard-console.html). If your Storage Lens group isn't attached to a dashboard, you won't incur any additional charges for creating a Storage Lens group. S3 Storage Lens aggregates usage metrics for an object under all matching Storage Lens groups. Therefore, if an object matches the filter conditions for two or more Storage Lens groups, you will see repeated counts for the same object across your storage usage. You can create a Storage Lens group at the account level in a specified home Region (from the list of supported AWS Regions). Then, you can attach your Storage Lens group to multiple Storage Lens dashboards, as long as the dashboards are in the same AWS account and home Region. You can create up to 50 Storage Lens groups per home Region in each AWS account. You can create and manage S3 Storage Lens groups by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), AWS SDKs, or the Amazon S3 REST API. **Topics** + [ ## Viewing Storage Lens group aggregated metrics ](#storage-lens-group-aggregation) + [ ## Storage Lens groups permissions ](#storage-lens-group-permissions) + [ ## Storage Lens groups configuration ](#storage-lens-groups-configuration) + [ ## AWS resource tags ](#storage-lens-group-resource-tags) + [ ## Storage Lens groups metrics export ](#storage-lens-groups-metrics-export) ## Viewing Storage Lens group aggregated metrics You can view the aggregated metrics for your Storage Lens groups by attaching the groups to a dashboard. The Storage Lens groups that you want to attach must reside within the designated home Region in the dashboard account. To attach a Storage Lens group to a dashboard, you must specify the group in the **Storage Lens group aggregation** section of your dashboard configuration. If you have several Storage Lens groups, you can filter the **Storage Lens group aggregation** results to include or exclude only the groups that you want. For more information about attaching groups to your dashboards, see [Attaching or removing S3 Storage Lens groups to or from your dashboard](storage-lens-groups-dashboard-console.md). After you've attached your groups, you will see the additional Storage Lens group aggregation data in your dashboard within 48 hours. **Note** To view aggregated metrics for your Storage Lens group, you must attach the group to an S3 Storage Lens dashboard. ## Storage Lens groups permissions Storage Lens groups require certain permissions in AWS Identity and Access Management (IAM) to authorize access to S3 Storage Lens group actions. To grant these permissions, you can use an identity-based IAM policy. You can attach this policy to IAM users, groups, or roles to grant them permissions. Such permissions can include the ability to create or delete Storage Lens groups, view their configurations, or manage their tags. The IAM user or role that you grant permissions to must belong to the account that created or owns the Storage Lens group. To use Storage Lens groups and to view your Storage Lens groups metrics, you must first have the appropriate permissions to use S3 Storage Lens. For more information, see [Setting Amazon S3 Storage Lens permissions](storage_lens_iam_permissions.md). To create and manage S3 Storage Lens groups, you must have the following IAM permissions, depending on which actions you want to perform: | Action | IAM permissions | | --- | --- | | Create a new Storage Lens group | `s3:CreateStorageLensGroup` | | Create a new Storage Lens group with tags | `s3:CreateStorageLensGroup`, `s3:TagResource` | | Update an existing Storage Lens group | `s3:UpdateStorageLensGroup` | | Return the details of a Storage Lens group configuration | `s3:GetStorageLensGroup` | | List all Storage Lens groups in your home Region | `s3:ListStorageLensGroups` | | Delete a Storage Lens group | `s3:DeleteStorageLensGroup` | | List the tags that were added to your Storage Lens group | `s3:ListTagsForResource` | | Add or update a Storage Lens group tag for an existing Storage Lens group | `s3:TagResource` | | Delete a tag from a Storage Lens group | `s3:UntagResource` | Here's an example of how to configure your IAM policy in the account that creates the Storage Lens group. To use this policy, replace `us-east-1` with the home Region that your Storage Lens group is located in. Replace `111122223333` with your AWS account ID, and replace `example-storage-lens-group` with the name of your Storage Lens group. To apply these permissions to all Storage Lens groups, replace `example-storage-lens-group` with an `*`. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "EXAMPLE-Statement-ID", "Effect": "Allow", "Action": [ "s3:CreateStorageLensGroup", "s3:UpdateStorageLensGroup", "s3:GetStorageLensGroup", "s3:ListStorageLensGroups", "s3:DeleteStorageLensGroup, "s3:TagResource", "s3:UntagResource", "s3:ListTagsForResource" ], "Resource": "arn:aws:s3:us-east-1:111122223333:storage-lens-group/example-storage-lens-group" } ] } ``` For more information about S3 Storage Lens permissions, see [Setting Amazon S3 Storage Lens permissions](storage_lens_iam_permissions.md). For more information about IAM policy language, see [Policies and permissions in Amazon S3](access-policy-language-overview.md). ## Storage Lens groups configuration ### S3 Storage Lens group name We recommend giving your Storage Lens groups names that indicate their purpose so that you can easily determine which groups you want to attach to your dashboards. To [attach a Storage Lens group to a dashboard](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups-dashboard-console.html), you must specify the group in the **Storage Lens group aggregation** section of the dashboard configuration. Storage Lens group names must be unique within the account. They must not exceed 64 characters, and can contain only letters (a-z, A-Z), numbers (0-9), hyphens (`-`), and underscores (`_`). ### Home Region The home Region is the AWS Region where your Storage Lens group is created and maintained. Your Storage Lens group is created in the same home Region as your Amazon S3 Storage Lens dashboard. The Storage Lens group configuration and metrics are also stored in this Region. You can create up to 50 Storage Lens groups in a home Region. After you create your Storage Lens group, you can’t edit the home Region. ### Scope To include objects in your Storage Lens group, they must be in scope for your Amazon S3 Storage Lens dashboard. The scope of your Storage Lens dashboard is determined by the buckets that you included in the **Dashboard scope** of your S3 Storage Lens dashboard configuration. You can use different filters for your objects to define the scope of your Storage Lens group. To view these Storage Lens group metrics in your S3 Storage Lens dashboard, objects must match the filters that you include in your Storage Lens groups. For example, suppose that your Storage Lens group includes objects with the prefix `marketing` and the suffix `.png`, but no objects match those criteria. In this case, metrics for this Storage Lens group won't be generated in your daily metrics export, and no metrics for this group will be visible in your dashboard. ### Filters You can use the following filters in an S3 Storage Lens group: + **Prefixes** – Specifies the [prefix](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html) of included objects, which is a string of characters at the beginning of the object key name. For example, a value of `images` for the **Prefixes** filter includes objects with any of the following prefixes: `images/`, `images-marketing`, and `images/production`. The maximum length of a prefix is 1,024 bytes. + **Suffixes** – Specifies the suffix of included objects (for example, `.png`, `.jpeg`, or `.csv`). The maximum length of a suffix is 1,024 bytes. + **Object tags** – Specifies the list of [object tags](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html) that you want to filter on. A tag key can't exceed 128 Unicode characters, and a tag value can’t exceed 256 Unicode characters. Note that if the object tag value field is left empty, S3 Storage Lens groups only matches the object to other objects that also have empty tag values. + **Age** – Specifies the object age range of included objects in days. Only integers are supported. + **Size** – Specifies the object size range of included objects in bytes. Only integers are supported. The maximum allowable value is 50 TB. ### Storage Lens group object tags You can [create a Storage Lens group](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups-create.html) that includes up to 10 object tag filters. The following example includes two object tag key-value pairs as filters for a Storage Lens group that's named `Marketing-Department`. To use this example, replace `Marketing-Department` with the name of your group, and replace `object-tag-key-1`, `object-tag-value-1`, and so on with the object tag key-value pairs that you want to filter on. ``` { "Name": "Marketing-Department", "Filter": { "MatchAnyTag":[ { "Key": "object-tag-key-1", "Value": "object-tag-value-1" }, { "Key": "object-tag-key-2", "Value": "object-tag-value-2" } ] } } ``` ### Logical operators (`And` or `Or`) To include multiple filter conditions in your Storage Lens group, you can use logical operators (either `And` or `Or`). In the following example, the Storage Lens group that's named `Marketing-Department` has an `And` operator that contains `Prefix`, `ObjectAge`, and `ObjectSize` filters. Because an `And` operator is used, only objects that match **all** of these filter conditions will be included the Storage Lens group's scope. To use this example, replace the `user input placeholders` with the values that you want to filter on. ``` { "Name": "Marketing-Department", "Filter": { "And": { "MatchAnyPrefix": [ "prefix-1", "prefix-2", "prefix-3/sub-prefix-1" ], "MatchObjectAge": { "DaysGreaterThan": 10, "DaysLessThan": 60 }, "MatchObjectSize": { "BytesGreaterThan": 10, "BytesLessThan": 60 } } } } ``` **Note** If you want to include objects that match **any** of the conditions in the filters, replace the `And` logical operator with the `Or` logical operator in this example. ## AWS resource tags Each S3 Storage Lens group is counted as an AWS resource with its own Amazon Resource Name (ARN). Therefore, when you configure your Storage Lens group, you can optionally add AWS resource tags to the group. You can add up to 50 tags for each Storage Lens group. To create a Storage Lens group with tags, you must have the `s3:CreateStorageLensGroup` and `s3:TagResource` permissions. You can use AWS resource tags to categorize resources according to department, line of business, or project. Doing so is useful when you have many resources of the same type. By applying tags, you can quickly identify a specific Storage Lens group based on the tags that you've assigned to it. You can also use tags to track and allocate costs. In addition, when you add an AWS resource tag to your Storage Lens group, you activate [attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html). ABAC is an authorization strategy that defines permissions based on attributes, in this case tags. You can also use conditions that specify resource tags in your IAM policies to [control access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources). You can edit tag keys and values, and you can remove tags from a resource at any time. Also, be aware of the following limitations: + Tag keys and tag values are case sensitive. + If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. + If you delete a resource, any tags for the resource are also deleted. + Don't include private or sensitive data in your AWS resource tags. + System tags (or tags with tag keys that begin with `aws:`) aren't supported. + The length of each tag key can't exceed 128 characters. The length of each tag value can't exceed 256 characters. ## Storage Lens groups metrics export S3 Storage Lens group metrics are included in the [Amazon S3 Storage Lens metrics export](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage_lens_understanding_metrics_export_schema.html) for the dashboard that the Storage Lens group is attached to. For general information about the Storage Lens metrics export feature, see [Viewing Amazon S3 Storage Lens metrics using a data export](storage_lens_view_metrics_export.md). Your metrics export for Storage Lens groups includes any S3 Storage Lens metrics that are in scope for the dashboard that you attached the Storage Lens group to. The export also includes additional metrics data for Storage Lens groups. After you create your Storage Lens group, your metrics export is sent daily to the bucket that you selected when you configured the metrics export for the dashboard that your group is attached to. It can take up to 48 hours for you to receive the first metrics export. To generate metrics in the daily export, objects must match the filters that you include in your Storage Lens groups. If no objects match the filters that you included in your Storage Lens group, then no metrics will be generated. However, if an object matches two or more Storage Lens groups, the object is listed separately for each group when it appears in the metrics export. You can identify metrics for Storage Lens groups by looking for one of the following values in the `record_type` column of the metrics export for your dashboard: + `STORAGE_LENS_GROUP_BUCKET` + `STORAGE_LENS_GROUP_ACCOUNT` The `record_value` column displays the resource ARN for the Storage Lens group (for example, `arn:aws:s3:us-east-1:111122223333:storage-lens-group/Marketing-Department`). # Using Storage Lens groups Amazon S3 Storage Lens groups aggregates metrics using custom filters based on object metadata. You can analyze and filter S3 Storage Lens metrics using prefixes, suffixes, object tags, object size, or object age. With Amazon S3 Storage Lens groups, you can also categorize your usage within and across Amazon S3 buckets. As a result, you'll be able to better understand and optimize your S3 storage. To start visualizing the data for a Storage Lens group, you must first [attach your Storage Lens group to an S3 Storage Lens dashboard](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups-dashboard-console.html#storage-lens-groups-attach-dashboard-console). If you need to manage Storage Lens groups in the dashboard, you can edit the dashboard configuration. To check which Storage Lens groups are under your account, you can list them. To check which Storage Lens groups are attached to your dashboard, you can always check the **Storage Lens groups** tab in the dashboard. To review or update the scope of an existing Storage Lens group, you can view its details. You can also permanently delete a Storage Lens group. To manage permissions, you can create and add user-defined AWS resource tags to your Storage Lens groups. You can use AWS resource tags to categorize resources according to department, line of business, or project. Doing so is useful when you have many resources of the same type. By applying tags, you can quickly identify a specific Storage Lens group based on the tags that you've assigned to it. In addition, when you add an AWS resource tag to your Storage Lens group, you activate [attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html). ABAC is an authorization strategy that defines permissions based on attributes, in this case tags. You can also use conditions that specify resource tags in your IAM policies to [control access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources). **Topics** + [ # Creating a Storage Lens group ](storage-lens-groups-create.md) + [ # Attaching or removing S3 Storage Lens groups to or from your dashboard ](storage-lens-groups-dashboard-console.md) + [ # Visualizing your Storage Lens groups data ](storage-lens-groups-visualize.md) + [ # Updating a Storage Lens group ](storage-lens-groups-update.md) + [ # Managing AWS resource tags with Storage Lens groups ](storage-lens-groups-manage-tags.md) + [ # Listing all Storage Lens groups ](storage-lens-groups-list.md) + [ # Viewing Storage Lens group details ](storage-lens-groups-view.md) + [ # Deleting a Storage Lens group ](storage-lens-groups-delete.md) # Creating a Storage Lens group Create a Storage Lens group The following examples demonstrate how to create an Amazon S3 Storage Lens group by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To create a Storage Lens group** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the navigation bar on the top of the page, choose the name of the currently displayed AWS Region. Next, choose the Region that you want to switch to. 1. In the left navigation pane, choose **Storage Lens groups**. 1. Choose **Create Storage Lens group**. 1. Under **General**, view your **Home Region** and enter your **Storage Lens group name**. 1. Under **Scope**, choose the filter that you want to apply to your Storage Lens group. To apply multiple filters, choose your filters, and then choose the **AND** or **OR** logical operator. + For the **Prefixes** filter, choose **Prefixes**, and enter a prefix string. To add multiple prefixes, choose **Add prefix**. To remove a prefix, choose **Remove** next to the prefix that you want to remove. + For the **Object tags** filter, choose **Object tags**, and enter the key-value pair for your object. Then, choose **Add tag**. To remove a tag, choose **Remove** next to the tag that you want to remove. + For the **Suffixes** filter, choose **Suffixes**, and enter a suffix string. To add multiple suffixes, choose **Add suffix**. To remove a suffix, choose **Remove** next to the suffix that you want to remove. + For the **Age** filter, specify the object age range in days. Choose **Specify minimum object age**, and enter the minimum object age. Then, choose **Specify maximum object age**, and enter the maximum object age. + For the **Size** filter, specify the object size range and unit of measurement. Choose **Specify minimum object size**, and enter the minimum object size. Choose **Specify maximum object size**, and enter the maximum object size. 1. (Optional) For AWS resource tags, add the key-value pair, and then choose **Add tag**. 1. Choose **Create Storage Lens group**. ## Using the AWS CLI The following example AWS CLI command creates a Storage Lens group. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control create-storage-lens-group --account-id 111122223333 \ --region us-east-1 --storage-lens-group=file://./marketing-department.json ``` The following example AWS CLI command creates a Storage Lens group with two AWS resource tags. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control create-storage-lens-group --account-id 111122223333 \ --region us-east-1 --storage-lens-group=file://./marketing-department.json \ --tags Key=k1,Value=v1 Key=k2,Value=v2 ``` For example JSON configurations, see [Storage Lens groups configuration](storage-lens-groups.md#storage-lens-groups-configuration). ## Using the AWS SDK for Java The following AWS SDK for Java example creates a Storage Lens group. To use this example, replace the `user input placeholders` with your own information. **Example – Create a Storage Lens group with a single filter** The following example creates a Storage Lens group named `Marketing-Department`. This group has an object age filter that specifies the age range as `30` to `90` days. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.CreateStorageLensGroupRequest; import software.amazon.awssdk.services.s3control.model.MatchObjectAge; import software.amazon.awssdk.services.s3control.model.StorageLensGroup; import software.amazon.awssdk.services.s3control.model.StorageLensGroupFilter; public class CreateStorageLensGroupWithObjectAge { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { StorageLensGroupFilter objectAgeFilter = StorageLensGroupFilter.builder() .matchObjectAge(MatchObjectAge.builder() .daysGreaterThan(30) .daysLessThan(90) .build()) .build(); StorageLensGroup storageLensGroup = StorageLensGroup.builder() .name(storageLensGroupName) .filter(objectAgeFilter) .build(); CreateStorageLensGroupRequest createStorageLensGroupRequest = CreateStorageLensGroupRequest.builder() .storageLensGroup(storageLensGroup) .accountId(accountId).build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.createStorageLensGroup(createStorageLensGroupRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` **Example – Create a Storage Lens group with an `AND` operator that includes multiple filters** The following example creates a Storage Lens group named `Marketing-Department`. This group uses the `AND` operator to indicate that objects must match **all** of the filter conditions. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.CreateStorageLensGroupRequest; import software.amazon.awssdk.services.s3control.model.MatchObjectAge; import software.amazon.awssdk.services.s3control.model.MatchObjectSize; import software.amazon.awssdk.services.s3control.model.S3Tag; import software.amazon.awssdk.services.s3control.model.StorageLensGroup; import software.amazon.awssdk.services.s3control.model.StorageLensGroupAndOperator; import software.amazon.awssdk.services.s3control.model.StorageLensGroupFilter; public class CreateStorageLensGroupWithAndFilter { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { // Create object tags. S3Tag tag1 = S3Tag.builder() .key("object-tag-key-1") .value("object-tag-value-1") .build(); S3Tag tag2 = S3Tag.builder() .key("object-tag-key-2") .value("object-tag-value-2") .build(); StorageLensGroupAndOperator andOperator = StorageLensGroupAndOperator.builder() .matchAnyPrefix("prefix-1", "prefix-2", "prefix-3/sub-prefix-1") .matchAnySuffix(".png", ".gif", ".jpg") .matchAnyTag(tag1, tag2) .matchObjectAge(MatchObjectAge.builder() .daysGreaterThan(30) .daysLessThan(90).build()) .matchObjectSize(MatchObjectSize.builder() .bytesGreaterThan(1000L) .bytesLessThan(6000L).build()) .build(); StorageLensGroupFilter andFilter = StorageLensGroupFilter.builder() .and(andOperator) .build(); StorageLensGroup storageLensGroup = StorageLensGroup.builder() .name(storageLensGroupName) .filter(andFilter) .build(); CreateStorageLensGroupRequest createStorageLensGroupRequest = CreateStorageLensGroupRequest.builder() .storageLensGroup(storageLensGroup) .accountId(accountId).build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.createStorageLensGroup(createStorageLensGroupRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` **Example – Create a Storage Lens group with an `OR` operator that includes multiple filters** The following example creates a Storage Lens group named `Marketing-Department`. This group uses an `OR` operator to apply a prefix filter (`prefix-1`, `prefix-2`, `prefix3/sub-prefix-1`) or an object size filter with a size range between `1000` bytes and `6000` bytes. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.CreateStorageLensGroupRequest; import software.amazon.awssdk.services.s3control.model.MatchObjectSize; import software.amazon.awssdk.services.s3control.model.StorageLensGroup; import software.amazon.awssdk.services.s3control.model.StorageLensGroupFilter; import software.amazon.awssdk.services.s3control.model.StorageLensGroupOrOperator; public class CreateStorageLensGroupWithOrFilter { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { StorageLensGroupOrOperator orOperator = StorageLensGroupOrOperator.builder() .matchAnyPrefix("prefix-1", "prefix-2", "prefix-3/sub-prefix-1") .matchObjectSize(MatchObjectSize.builder() .bytesGreaterThan(1000L) .bytesLessThan(6000L) .build()) .build(); StorageLensGroupFilter orFilter = StorageLensGroupFilter.builder() .or(orOperator) .build(); StorageLensGroup storageLensGroup = StorageLensGroup.builder() .name(storageLensGroupName) .filter(orFilter) .build(); CreateStorageLensGroupRequest createStorageLensGroupRequest = CreateStorageLensGroupRequest.builder() .storageLensGroup(storageLensGroup) .accountId(accountId).build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.createStorageLensGroup(createStorageLensGroupRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` **Example – Create a Storage Lens group with a single filter and two AWS resource tags** The following example creates a Storage Lens group named `Marketing-Department` that has a suffix filter. This example also adds two AWS resource tags to the Storage Lens group. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.CreateStorageLensGroupRequest; import software.amazon.awssdk.services.s3control.model.StorageLensGroup; import software.amazon.awssdk.services.s3control.model.StorageLensGroupFilter; import software.amazon.awssdk.services.s3control.model.Tag; public class CreateStorageLensGroupWithResourceTags { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { // Create AWS resource tags. Tag resourceTag1 = Tag.builder() .key("resource-tag-key-1") .value("resource-tag-value-1") .build(); Tag resourceTag2 = Tag.builder() .key("resource-tag-key-2") .value("resource-tag-value-2") .build(); StorageLensGroupFilter suffixFilter = StorageLensGroupFilter.builder() .matchAnySuffix(".png", ".gif", ".jpg") .build(); StorageLensGroup storageLensGroup = StorageLensGroup.builder() .name(storageLensGroupName) .filter(suffixFilter) .build(); CreateStorageLensGroupRequest createStorageLensGroupRequest = CreateStorageLensGroupRequest.builder() .storageLensGroup(storageLensGroup) .tags(resourceTag1, resourceTag2) .accountId(accountId).build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.createStorageLensGroup(createStorageLensGroupRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` For example JSON configurations, see [Storage Lens groups configuration](storage-lens-groups.md#storage-lens-groups-configuration). # Attaching or removing S3 Storage Lens groups to or from your dashboard Attach or remove a Storage Lens group After you've upgraded to the advanced tier in Amazon S3 Storage Lens, you can attach a [Storage Lens group](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups-overview.html) to your dashboard. If you have several Storage Lens groups, you can include or exclude the groups that you want. Your Storage Lens groups must reside within the designated home Region in the dashboard account. After you attach a Storage Lens group to your dashboard, you'll receive the additional Storage Lens group aggregation data in your metrics export within 48 hours. **Note** If you want to view aggregated metrics for your Storage Lens group, you must attach it to your Storage Lens dashboard. For examples of Storage Lens group JSON configuration files, see [S3 Storage Lens example configuration with Storage Lens groups in JSON](S3LensHelperFilesCLI.md#StorageLensGroupsHelperFilesCLI). ## Using the S3 console **To attach a Storage Lens group to a Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, under **Storage Lens**, choose **Dashboards**. 1. Choose the option button for the Storage Lens dashboard that you want to attach a Storage Lens group to. 1. Choose **Edit**. 1. Under **Metrics selection**, choose **Advanced metrics and recommendations**. 1. Select **Storage Lens group aggregation**. **Note** By default, **Advanced metrics** is also selected. However, you can also deselect this setting as it's not required to aggregate Storage Lens groups data. 1. Scroll down to **Storage Lens group aggregation** and specify the Storage Lens group or groups that you either want to include or exclude in the data aggregation. You can use the following filtering options: + If you want to include certain Storage Lens groups, choose **Include Storage Lens groups**. Under **Storage Lens groups to include**, select your Storage Lens groups. + If you want to include all Storage Lens groups, select **Include all Storage Lens groups in home Region in this account**. + If you want to exclude certain Storage Lens groups, choose **Exclude Storage Lens groups**. Under **Storage Lens groups to exclude**, select the Storage Lens groups that you want to exclude. 1. Choose **Save changes**. If you've configured your Storage Lens groups correctly, you will see the additional Storage Lens group aggregation data in your dashboard within 48 hours. **To remove a Storage Lens group from an S3 Storage Lens dashboard** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, under **Storage Lens**, choose **Dashboards**. 1. Choose the option button for the Storage Lens dashboard that you want to remove a Storage Lens group from. 1. Choose **View dashboard configuration**. 1. Choose **Edit**. 1. Scroll down to the **Metrics selection** section. 1. Under **Storage Lens group aggregation**, choose the **X** next to the Storage Lens group that you want to remove. This removes your Storage Lens group. If you included all of your Storage Lens groups in your dashboard, clear the check box next to **Include all Storage Lens groups in home Region in this account**. 1. Choose **Save changes**. **Note** It will take up to 48 hours for your dashboard to reflect the configuration updates. ## Using the AWS SDK for Java **Example – Attach all Storage Lens groups to a dashboard** The following SDK for Java example attaches all Storage Lens groups in the account *111122223333* to the *DashBoardConfigurationId* dashboard: ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.BucketLevel; import com.amazonaws.services.s3control.model.PutStorageLensConfigurationRequest; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.model.AccountLevel; import com.amazonaws.services.s3control.model.StorageLensConfiguration; import com.amazonaws.services.s3control.model.StorageLensGroupLevel; import static com.amazonaws.regions.Regions.US_WEST_2; public class CreateDashboardWithStorageLensGroups { public static void main(String[] args) { String configurationId = "ExampleDashboardConfigurationId"; String sourceAccountId = "111122223333"; try { StorageLensGroupLevel storageLensGroupLevel = new StorageLensGroupLevel(); AccountLevel accountLevel = new AccountLevel() .withBucketLevel(new BucketLevel()) .withStorageLensGroupLevel(storageLensGroupLevel); StorageLensConfiguration configuration = new StorageLensConfiguration() .withId(configurationId) .withAccountLevel(accountLevel) .withIsEnabled(true); AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.putStorageLensConfiguration(new PutStorageLensConfigurationRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) .withStorageLensConfiguration(configuration) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` **Example – Attach two Storage Lens groups to a dashboard** The following AWS SDK for Java example attaches two Storage Lens groups (*StorageLensGroupName1* and *StorageLensGroupName2*) to the *ExampleDashboardConfigurationId* dashboard. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.AccountLevel; import com.amazonaws.services.s3control.model.BucketLevel; import com.amazonaws.services.s3control.model.PutStorageLensConfigurationRequest; import com.amazonaws.services.s3control.model.StorageLensConfiguration; import com.amazonaws.services.s3control.model.StorageLensGroupLevel; import com.amazonaws.services.s3control.model.StorageLensGroupLevelSelectionCriteria; import static com.amazonaws.regions.Regions.US_WEST_2; public class CreateDashboardWith2StorageLensGroups { public static void main(String[] args) { String configurationId = "ExampleDashboardConfigurationId"; String storageLensGroupName1 = "StorageLensGroupName1"; String storageLensGroupName2 = "StorageLensGroupName2"; String sourceAccountId = "111122223333"; try { StorageLensGroupLevelSelectionCriteria selectionCriteria = new StorageLensGroupLevelSelectionCriteria() .withInclude( "arn:aws:s3:" + US_WEST_2.getName() + ":" + sourceAccountId + ":storage-lens-group/" + storageLensGroupName1, "arn:aws:s3:" + US_WEST_2.getName() + ":" + sourceAccountId + ":storage-lens-group/" + storageLensGroupName2); System.out.println(selectionCriteria); StorageLensGroupLevel storageLensGroupLevel = new StorageLensGroupLevel() .withSelectionCriteria(selectionCriteria); AccountLevel accountLevel = new AccountLevel() .withBucketLevel(new BucketLevel()) .withStorageLensGroupLevel(storageLensGroupLevel); StorageLensConfiguration configuration = new StorageLensConfiguration() .withId(configurationId) .withAccountLevel(accountLevel) .withIsEnabled(true); AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.putStorageLensConfiguration(new PutStorageLensConfigurationRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) .withStorageLensConfiguration(configuration) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` **Example – Attach all Storage Lens groups with exclusions** The following SDK for Java example attaches all Storage Lens groups to the *ExampleDashboardConfigurationId* dashboard, excluding the two specified (*StorageLensGroupName1* and *StorageLensGroupName2*): ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.services.s3control.AWSS3Control; import com.amazonaws.services.s3control.AWSS3ControlClient; import com.amazonaws.services.s3control.model.AccountLevel; import com.amazonaws.services.s3control.model.BucketLevel; import com.amazonaws.services.s3control.model.PutStorageLensConfigurationRequest; import com.amazonaws.services.s3control.model.StorageLensConfiguration; import com.amazonaws.services.s3control.model.StorageLensGroupLevel; import com.amazonaws.services.s3control.model.StorageLensGroupLevelSelectionCriteria; import static com.amazonaws.regions.Regions.US_WEST_2; public class CreateDashboardWith2StorageLensGroupsExcluded { public static void main(String[] args) { String configurationId = "ExampleDashboardConfigurationId"; String storageLensGroupName1 = "StorageLensGroupName1"; String storageLensGroupName2 = "StorageLensGroupName2"; String sourceAccountId = "111122223333"; try { StorageLensGroupLevelSelectionCriteria selectionCriteria = new StorageLensGroupLevelSelectionCriteria() .withInclude( "arn:aws:s3:" + US_WEST_2.getName() + ":" + sourceAccountId + ":storage-lens-group/" + storageLensGroupName1, "arn:aws:s3:" + US_WEST_2.getName() + ":" + sourceAccountId + ":storage-lens-group/" + storageLensGroupName2); System.out.println(selectionCriteria); StorageLensGroupLevel storageLensGroupLevel = new StorageLensGroupLevel() .withSelectionCriteria(selectionCriteria); AccountLevel accountLevel = new AccountLevel() .withBucketLevel(new BucketLevel()) .withStorageLensGroupLevel(storageLensGroupLevel); StorageLensConfiguration configuration = new StorageLensConfiguration() .withId(configurationId) .withAccountLevel(accountLevel) .withIsEnabled(true); AWSS3Control s3ControlClient = AWSS3ControlClient.builder() .withCredentials(new ProfileCredentialsProvider()) .withRegion(US_WEST_2) .build(); s3ControlClient.putStorageLensConfiguration(new PutStorageLensConfigurationRequest() .withAccountId(sourceAccountId) .withConfigId(configurationId) .withStorageLensConfiguration(configuration) ); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Visualizing your Storage Lens groups data Visualize Storage Lens group data You can visualize your Storage Lens groups data by [attaching the group to your Amazon S3 Storage Lens dashboard](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-lens-groups-dashboard-console.html#storage-lens-groups-attach-dashboard-console). After you've included the Storage Lens group in the Storage Lens group aggregation in your dashboard configuration, it can take up to 48 hours for the Storage Lens group data to display in your dashboard. After the dashboard configuration has been updated, any newly attached Storage Lens groups appear in the list of available resources under the **Storage Lens groups** tab. You can also further analyze storage usage in your **Overview** tab by slicing the data by another dimension. For example, you can choose one of the items listed under the **Top 3** categories and choose **Analyze by** to slice the data by another dimension. You can't apply the same dimension as the filter itself. **Note** You can't apply a Storage Lens group filter along with a prefix filter, or the reverse. You also can't further analyze a Storage Lens group by using a prefix filter. You can use the **Storage Lens groups** tab in the Amazon S3 Storage Lens dashboard to customize the data visualization for the Storage Lens groups that are attached to your dashboard. You can either visualize the data for some Storage Lens groups that are attached to your dashboard, or all of them. When visualizing Storage Lens group data in your S3 Storage Lens dashboard, be aware of the following: + S3 Storage Lens aggregates usage metrics for an object under all matching Storage Lens groups. Therefore, if an object matches the filter conditions for two or more Storage Lens groups, you will see repeated counts for the same object across your storage usage. + Objects must match the filters that you include in your Storage Lens groups. If no objects match the filters that you include in your Storage Lens group, then no metrics are generated. To determine if there are any unassigned objects, check your total object count in the dashboard at the account level and bucket level. # Updating a Storage Lens group Update a Storage Lens group The following examples demonstrate how to update an Amazon S3 Storage Lens group. You can update a Storage Lens group by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To update a Storage Lens group** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, choose the Storage Lens group that you want to update. 1. Under **Scope**, choose **Edit**. 1. On the **Scope** page, select the filter that you want to apply to your Storage Lens group. To apply multiple filters, select your filters, and choose the **AND** or **OR** logical operator. + For the **Prefixes** filter, select **Prefixes**, and enter a prefix string. To add multiple prefixes, choose **Add prefix**. To remove a prefix, choose **Remove** next to the prefix that you want to remove. + For the **Object tags** filter, enter the key-value pair for your object. Then, choose **Add tag**. To remove a tag, choose **Remove** next to the tag that you want to remove. + For the **Suffixes** filter, select **Suffixes**, and enter a suffix string. To add multiple suffixes, choose **Add suffix**. To remove a suffix, choose **Remove** next to the suffix that you want to remove. + For the **Age** filter, specify the object age range in days. Choose **Specify minimum object age**, and enter the minimum object age. For **Specify maximum object age**, enter the maximum object age. + For the **Size** filter, specify the object size range and unit of measurement. Choose **Specify minimum object size**, and enter the minimum object size. For **Specify maximum object size**, enter the maximum object size. 1. Choose **Save changes**. The details page for the Storage Lens group appears. 1. (Optional) If you want to add a new AWS resource tag, scroll to the **AWS resource tags** section, then choose **Add tags**. The **Add tags** page appears. Add the new key-value pair, then choose **Save changes**. The details page for the Storage Lens group appears. 1. (Optional) If you want to remove an existing AWS resource tag, scroll to the **AWS resource tags** section, and select the resource tag. Then, choose **Delete**. The **Delete AWS tags** dialog box appears. Choose **Delete** again to permanently delete the AWS resource tag. **Note** After you permanently delete an AWS resource tag, it can’t be restored. ## Using the AWS CLI The following AWS CLI example command returns the configuration details for a Storage Lens group named `marketing-department`. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control get-storage-lens-group --account-id 111122223333 \ --region us-east-1 --name marketing-department ``` The following AWS CLI example updates a Storage Lens group. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control update-storage-lens-group --account-id 111122223333 \ --region us-east-1 --storage-lens-group=file://./marketing-department.json ``` For example JSON configurations, see [Storage Lens groups configuration](storage-lens-groups.md#storage-lens-groups-configuration). ## Using the AWS SDK for Java The following AWS SDK for Java example returns the configuration details for the `Marketing-Department` Storage Lens group in account `111122223333`. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.GetStorageLensGroupRequest; import software.amazon.awssdk.services.s3control.model.GetStorageLensGroupResponse; public class GetStorageLensGroup { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { GetStorageLensGroupRequest getRequest = GetStorageLensGroupRequest.builder() .name(storageLensGroupName) .accountId(accountId).build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); GetStorageLensGroupResponse response = s3ControlClient.getStorageLensGroup(getRequest); System.out.println(response); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` The following example updates the Storage Lens group named `Marketing-Department` in account `111122223333`. This example updates the dashboard scope to include objects that match any of the following suffixes: `.png`, `.gif`, `.jpg`, or `.jpeg`. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.StorageLensGroup; import software.amazon.awssdk.services.s3control.model.StorageLensGroupFilter; import software.amazon.awssdk.services.s3control.model.UpdateStorageLensGroupRequest; public class UpdateStorageLensGroup { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { // Create updated filter. StorageLensGroupFilter suffixFilter = StorageLensGroupFilter.builder() .matchAnySuffix(".png", ".gif", ".jpg", ".jpeg") .build(); StorageLensGroup storageLensGroup = StorageLensGroup.builder() .name(storageLensGroupName) .filter(suffixFilter) .build(); UpdateStorageLensGroupRequest updateStorageLensGroupRequest = UpdateStorageLensGroupRequest.builder() .name(storageLensGroupName) .storageLensGroup(storageLensGroup) .accountId(accountId) .build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.updateStorageLensGroup(updateStorageLensGroupRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` For example JSON configurations, see [Storage Lens groups configuration](storage-lens-groups.md#storage-lens-groups-configuration). # Managing AWS resource tags with Storage Lens groups Manage AWS resource tags with Storage Lens groups Each Amazon S3 Storage Lens group is counted as an AWS resource with its own Amazon Resource Name (ARN). Therefore, when you configure your Storage Lens group, you can optionally add AWS resource tags to the group. You can add up to 50 tags for each Storage Lens group. To create a Storage Lens group with tags, you must have the `s3:CreateStorageLensGroup` and `s3:TagResource` permissions. You can use AWS resource tags to categorize resources according to department, line of business, or project. Doing so is useful when you have many resources of the same type. By applying tags, you can quickly identify a specific Storage Lens group based on the tags that you've assigned to it. You can also use tags to track and allocate costs. In addition, when you add an AWS resource tag to your Storage Lens group, you activate [attribute-based access control (ABAC)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html). ABAC is an authorization strategy that defines permissions based on attributes, in this case tags. You can also use conditions that specify resource tags in your IAM policies to [control access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources). You can edit tag keys and values, and you can remove tags from a resource at any time. Also, be aware of the following limitations: + Tag keys and tag values are case sensitive. + If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. + If you delete a resource, any tags for the resource are also deleted. + Don't include private or sensitive data in your AWS resource tags. + System tags (with tag keys that begin with `aws:`) aren't supported. + The length of each tag key can't exceed 128 characters. The length of each tag value can't exceed 256 characters. The following examples demonstrate how to use AWS resource tags with Storage Lens groups. **Topics** + [ # Adding an AWS resource tag to a Storage Lens group ](storage-lens-groups-add-tags.md) + [ # Updating Storage Lens group tag values ](storage-lens-groups-update-tags.md) + [ # Deleting an AWS resource tag from a Storage Lens group ](storage-lens-groups-delete-tags.md) + [ # Listing Storage Lens group tags ](storage-lens-groups-list-tags.md) # Adding an AWS resource tag to a Storage Lens group Add an AWS resource tag to a Storage Lens group The following examples demonstrate how to add AWS resource tags to an Amazon S3 Storage Lens group. You can add resource tags by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To add an AWS resource tag to a Storage Lens group** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, choose the Storage Lens group that you want to update. 1. Under **AWS resource tags**, choose **Add tags**. 1. On the **Add tags** page, add the new key-value pair. **Note** Adding a new tag with the same key as an existing tag overwrites the previous tag value. 1. (Optional) To add more than one new tag, choose **Add tag** again to continue adding new entries. You can add up to 50 AWS resource tags to your Storage Lens group. 1. (Optional) If you want to remove a newly added entry, choose **Remove** next to the tag that you want to remove. 1. Choose **Save changes**. ## Using the AWS CLI The following example AWS CLI command adds two resource tags to an existing Storage Lens group named `marketing-department`. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control tag-resource --account-id 111122223333 \ --resource-arn arn:aws:s3:us-east-1:111122223333:storage-lens-group/marketing-department \ --region us-east-1 --tags Key=k1,Value=v1 Key=k2,Value=v2 ``` ## Using the AWS SDK for Java The following AWS SDK for Java example adds two AWS resource tags to an existing Storage Lens group. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.Tag; import software.amazon.awssdk.services.s3control.model.TagResourceRequest; public class TagResource { public static void main(String[] args) { String resourceARN = "Resource_ARN"; String accountId = "111122223333"; try { Tag resourceTag1 = Tag.builder() .key("resource-tag-key-1") .value("resource-tag-value-1") .build(); Tag resourceTag2 = Tag.builder() .key("resource-tag-key-2") .value("resource-tag-value-2") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .resourceArn(resourceARN) .tags(resourceTag1, resourceTag2) .accountId(accountId) .build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.tagResource(tagResourceRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Updating Storage Lens group tag values Update Storage Lens group tag values The following examples demonstrate how to update Storage Lens group tag values by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To update an AWS resource tag for a Storage Lens group** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, choose the Storage Lens group that you want to update. 1. Under **AWS resource tags**, select the tag that you want to update. 1. Add the new tag value, using the same key of the key-value pair that you want to update. Choose the checkmark icon to update the tag value. **Note** Adding a new tag with the same key as an existing tag overwrites the previous tag value. 1. (Optional) If you want to add new tags, choose **Add tag** to add new entries. The **Add tags** page appears. You can add up to 50 AWS resource tags for your Storage Lens group. When you're finished adding new tags, choose **Save changes**. 1. (Optional) If you want to remove a newly added entry, choose **Remove** next to the tag that you want to remove. When you're finished removing tags, choose **Save changes**. ## Using the AWS CLI The following example AWS CLI command updates two tag values for the Storage Lens group named `marketing-department`. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control tag-resource --account-id 111122223333 \ --resource-arn arn:aws:s3:us-east-1:111122223333:storage-lens-group/marketing-department \ --region us-east-1 --tags Key=k1,Value=v3 Key=k2,Value=v4 ``` ## Using the AWS SDK for Java The following AWS SDK for Java example updates two Storage Lens group tag values. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.Tag; import software.amazon.awssdk.services.s3control.model.TagResourceRequest; public class UpdateTagsForResource { public static void main(String[] args) { String resourceARN = "Resource_ARN"; String accountId = "111122223333"; try { Tag updatedResourceTag1 = Tag.builder() .key("resource-tag-key-1") .value("resource-tag-updated-value-1") .build(); Tag updatedResourceTag2 = Tag.builder() .key("resource-tag-key-2") .value("resource-tag-updated-value-2") .build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .resourceArn(resourceARN) .tags(updatedResourceTag1, updatedResourceTag2) .accountId(accountId) .build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.tagResource(tagResourceRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Deleting an AWS resource tag from a Storage Lens group Delete an AWS resource tag from a Storage Lens group The following examples demonstrate how to delete an AWS resource tag from a Storage Lens group. You can delete tags by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To delete an AWS resource tag from a Storage Lens group** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, choose the Storage Lens group that you want to update. 1. Under **AWS resource tags**, select the key-value pair that you want to delete. 1. Choose **Delete**. The **Delete AWS resource tags** dialog box appears. **Note** If tags are used to control access, proceeding with this action can affect related resources. After you permanently delete a tag, it can't be restored. 1. Choose **Delete** to permanently delete the key-value pair. ## Using the AWS CLI The following AWS CLI command deletes two AWS resource tags from an existing Storage Lens group: To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control untag-resource --account-id 111122223333 \ --resource-arn arn:aws:s3:us-east-1:111122223333:storage-lens-group/Marketing-Department \ --region us-east-1 --tag-keys k1 k2 ``` ## Using the AWS SDK for Java The following AWS SDK for Java example deletes two AWS resource tags from the Storage Lens group Amazon Resource Name (ARN) that you specify in account `111122223333`. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.UntagResourceRequest; public class UntagResource { public static void main(String[] args) { String resourceARN = "Resource_ARN"; String accountId = "111122223333"; try { String tagKey1 = "resource-tag-key-1"; String tagKey2 = "resource-tag-key-2"; UntagResourceRequest untagResourceRequest = UntagResourceRequest.builder() .resourceArn(resourceARN) .tagKeys(tagKey1, tagKey2) .accountId(accountId) .build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.untagResource(untagResourceRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Listing Storage Lens group tags List Storage Lens group tags The following examples demonstrate how to list the AWS resource tags associated with a Storage Lens group. You can list tags by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To review the list of tags and tag values for a Storage Lens group** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, choose the Storage Lens group that you're interested in. 1. Scroll down to the **AWS resource tags** section. All of the user-defined AWS resource tags that are added to your Storage Lens group are listed along with their tag values. ## Using the AWS CLI The following AWS CLI example command lists all the Storage Lens group tag values for the Storage Lens group named `marketing-department`. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control list-tags-for-resource --account-id 111122223333 \ --resource-arn arn:aws:s3:us-east-1:111122223333:storage-lens-group/marketing-department \ --region us-east-1 ``` ## Using the AWS SDK for Java The following AWS SDK for Java example lists the Storage Lens group tag values for the Storage Lens group Amazon Resource Name (ARN) that you specify. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.ListTagsForResourceRequest; import software.amazon.awssdk.services.s3control.model.ListTagsForResourceResponse; public class ListTagsForResource { public static void main(String[] args) { String resourceARN = "Resource_ARN"; String accountId = "111122223333"; try { ListTagsForResourceRequest listTagsForResourceRequest = ListTagsForResourceRequest.builder() .resourceArn(resourceARN) .accountId(accountId) .build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); ListTagsForResourceResponse response = s3ControlClient.listTagsForResource(listTagsForResourceRequest); System.out.println(response); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Listing all Storage Lens groups List all Storage Lens groups The following examples demonstrate how to list all Amazon S3 Storage Lens groups in an AWS account and home Region. These examples show how list all Storage Lens groups by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To list all Storage Lens groups in an account and home Region** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, the list of Storage Lens groups in your account is displayed. ## Using the AWS CLI The following AWS CLI example lists all of the Storage Lens groups for your account. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control list-storage-lens-groups --account-id 111122223333 \ --region us-east-1 ``` ## Using the AWS SDK for Java The following AWS SDK for Java example lists the Storage Lens groups for account `111122223333`. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.ListStorageLensGroupsRequest; import software.amazon.awssdk.services.s3control.model.ListStorageLensGroupsResponse; public class ListStorageLensGroups { public static void main(String[] args) { String accountId = "111122223333"; try { ListStorageLensGroupsRequest listStorageLensGroupsRequest = ListStorageLensGroupsRequest.builder() .accountId(accountId) .build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); ListStorageLensGroupsResponse response = s3ControlClient.listStorageLensGroups(listStorageLensGroupsRequest); System.out.println(response); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Viewing Storage Lens group details View Storage Lens group details The following examples demonstrate how to view Amazon S3 Storage Lens group configuration details. You can view these details by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To view Storage Lens group configuration details** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, choose the option button next to the Storage Lens group that you're interested in. 1. Choose **View details**. You can now review the details of your Storage Lens group. ## Using the AWS CLI The following AWS CLI example returns the configuration details for a Storage Lens group. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control get-storage-lens-group --account-id 111122223333 \ --region us-east-1 --name marketing-department ``` ## Using the AWS SDK for Java The following AWS SDK for Java example returns the configuration details for the Storage Lens group named `Marketing-Department` in account `111122223333`. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.GetStorageLensGroupRequest; import software.amazon.awssdk.services.s3control.model.GetStorageLensGroupResponse; public class GetStorageLensGroup { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { GetStorageLensGroupRequest getRequest = GetStorageLensGroupRequest.builder() .name(storageLensGroupName) .accountId(accountId).build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); GetStorageLensGroupResponse response = s3ControlClient.getStorageLensGroup(getRequest); System.out.println(response); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ``` # Deleting a Storage Lens group Delete a Storage Lens group The following examples demonstrate how to delete an Amazon S3 Storage Lens group by using the Amazon S3 console, AWS Command Line Interface (AWS CLI), and AWS SDK for Java. ## Using the S3 console **To delete a Storage Lens group** 1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **Storage Lens groups**. 1. Under **Storage Lens groups**, choose the option button next to the Storage Lens group that you want to delete. 1. Choose **Delete**. A **Delete Storage Lens group** dialog box displays. 1. Choose **Delete** again to permanently delete your Storage Lens group. **Note** After you delete a Storage Lens group, it can't be restored. ## Using the AWS CLI The following AWS CLI example deletes the Storage Lens group named `marketing-department`. To use this example command, replace the `user input placeholders` with your own information. ``` aws s3control delete-storage-lens-group --account-id 111122223333 \ --region us-east-1 --name marketing-department ``` ## Using the AWS SDK for Java The following AWS SDK for Java example deletes the Storage Lens group named `Marketing-Department` in account `111122223333`. To use this example, replace the `user input placeholders` with your own information. ``` package aws.example.s3control; import com.amazonaws.AmazonServiceException; import com.amazonaws.SdkClientException; import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.DeleteStorageLensGroupRequest; public class DeleteStorageLensGroup { public static void main(String[] args) { String storageLensGroupName = "Marketing-Department"; String accountId = "111122223333"; try { DeleteStorageLensGroupRequest deleteStorageLensGroupRequest = DeleteStorageLensGroupRequest.builder() .name(storageLensGroupName) .accountId(accountId).build(); S3ControlClient s3ControlClient = S3ControlClient.builder() .region(Region.US_WEST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); s3ControlClient.deleteStorageLensGroup(deleteStorageLensGroupRequest); } catch (AmazonServiceException e) { // The call was transmitted successfully, but Amazon S3 couldn't process // it and returned an error response. e.printStackTrace(); } catch (SdkClientException e) { // Amazon S3 couldn't be contacted for a response, or the client // couldn't parse the response from Amazon S3. e.printStackTrace(); } } } ```