Log format in CloudWatch Logs
When Amazon S3 server access logs are delivered to Amazon CloudWatch Logs, each log record is a structured JSON object. This is different from the space-delimited text format used for delivery to an Amazon S3 general purpose bucket. The structured format makes fields directly queryable in CloudWatch Logs Insights without regex parsing.
Note
For the space-delimited text format used for general purpose bucket delivery, see Amazon S3 server access log format.
Log record fields
The following table describes the fields in each server access log record delivered to CloudWatch Logs.
| Field | Type | Description |
|---|---|---|
schema_version_id |
string | Version identifier for the log record schema (for example, V_1_0).
Use this field to detect schema changes when new fields are added in future
versions. |
bucket_arn |
string | ARN of the source bucket. |
bucket_name |
string | Name of the bucket that the request was made to. Derived from the bucket ARN. |
request_time |
string | Time the request was received, in UTC. Formatted as ISO 8601
(yyyy-MM-dd'T'HH:mm:ss.SSS'Z'). In the S3 Tables integration (Iceberg),
this field is stored as timestamptz. |
bucket_owner_id |
string | Canonical user ID of the owner of the source bucket. |
remote_ip |
string | Apparent IP address of the requester. Defaults to null if not
available. |
requester |
string | Canonical user ID of the requester, or null for unauthenticated
requests. For IAM users and roles, this is the ARN. |
request_id |
string | Unique identifier generated by Amazon S3 for each request. Defaults to
null if not available. |
operation |
string | The operation that was performed, for example
REST.GET.OBJECT or REST.PUT.OBJECT. Defaults to
null if not available. |
key_name |
string | Object key in the request, or null if the operation does not involve
an object. |
request_uri |
string | The Request-URI part of the HTTP request message, or
null if not available. |
http_status |
int | Numeric HTTP status code of the response, for example 200 or
403. Defaults to null if not available. |
error_code |
string | Amazon S3 error code, for example NoSuchKey or
AccessDenied, or null if no error occurred. |
bytes_sent_size |
long | Number of response bytes sent, excluding HTTP protocol overhead. Defaults to
null if not available. |
object_size |
long | Total size of the object. Defaults to null if not
available. |
total_duration |
long | Total time of the request from the time the request was received to the last
byte of the response sent, in milliseconds. Defaults to null if not
available. |
turn_around_duration |
long | Time Amazon S3 spent processing the request, in milliseconds. This value is measured
from the time the last byte of the request was received until the time the first byte
of the response was sent. Defaults to null if not available. |
referer |
string | Value of the HTTP Referer header, or null if not
present. |
user_agent |
string | Value of the HTTP User-Agent header. Defaults to null
if not available. |
version_id |
string | Version ID in the request, or null if the operation does not involve
a versioned object. |
host_id |
string | Amazon S3 extended request ID (x-amz-id-2). Defaults to
null if not available. |
signature_version |
string | Signature version used to authenticate the request:
SigV2 or SigV4. Defaults to null for
unauthenticated requests. |
cipher_suite |
string | TLS cipher suite negotiated for HTTPS requests, or null for
HTTP. |
authentication_type |
string | Type of request authentication: AuthHeader,
QueryString, or null. |
host_header |
string | Endpoint used to connect to Amazon S3. Defaults to null if not
available. |
tls_version |
string | TLS version negotiated by the client: TLSv1.1,
TLSv1.2, TLSv1.3, or null. |
access_point_arn |
string | ARN of the access point used for the request, or null if the request
did not use an access point. |
acl_required |
boolean | Whether an ACL was required for the request. Defaults to null when
not applicable. |
source_region |
string | AWS Region from which the request originated, or null when the
origin Region cannot be determined (such as PrivateLink connections, Direct Connect
connections, Bring your own IP addresses (BYOIP), or non-AWS IP addresses) or when
the log is generated by operations triggered based on customer-set policies or actions,
such as lifecycle and checksum. |
Sample log record
The following is an example of a server access log record as it appears in CloudWatch Logs.
{ "schema_version_id": "V_1_0", "bucket_arn": "arn:aws:s3:::my-data-bucket", "bucket_name": "my-data-bucket", "request_time": "2026-04-29T14:32:16.000Z", "bucket_owner_id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "remote_ip": "203.0.113.45", "requester": "arn:aws:iam::123456789012:role/DataAnalystRole", "request_id": "3E57427F33A59F07", "operation": "REST.GET.OBJECT", "key_name": "reports/2026/quarterly-summary.parquet", "request_uri": "GET /my-data-bucket/reports/2026/quarterly-summary.parquet HTTP/1.1", "http_status": 200, "error_code": null, "bytes_sent_size": 1048576, "object_size": 1048576, "total_duration": 45, "turn_around_duration": 12, "referer": null, "user_agent": "aws-sdk-java/2.20.0", "version_id": null, "host_id": "s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234=", "signature_version": "SigV4", "cipher_suite": "TLS_AES_128_GCM_SHA256", "authentication_type": "AuthHeader", "host_header": "my-data-bucket.s3.us-east-1.amazonaws.com", "tls_version": "TLSv1.3", "access_point_arn": null, "acl_required": false, "source_region": "us-east-1" }
Differences from general purpose bucket log format
The CloudWatch Logs log format differs from the general purpose bucket log format in the following ways:
-
Format – CloudWatch Logs logs are structured JSON objects. General purpose bucket logs are space-delimited text.
-
Field names – The CloudWatch Logs format uses descriptive underscore-separated field names (for example,
bytes_sent_size,total_duration,key_name,authentication_type). The general purpose bucket format is positional space-delimited text with no named columns. -
Additional fields – The CloudWatch Logs format includes
schema_version_idandbucket_arn, which are not present in the general purpose bucket text format. -
No parsing required – Because CloudWatch Logs logs are structured JSON, you can query individual fields directly in CloudWatch Logs Insights without regex parsing. The general purpose bucket text format requires a regex or custom parser to extract fields.