AWS S3 allows you to distribute files publicly by configuring a public bucket or granting public access to specific objects. It can also be used to host static websites. In both cases, tracking access to these resources is important for security and auditing purposes.
47411d8baafa8cced757f771442e08849454857df58a341bfbcdf5bc22ea7be8 simplified-guide [18/Feb/2019:05:43:32 +0000] 112.120.201.145 - 381A22D2E282215C WEBSITE.GET.OBJECT index.html "GET / HTTP/1.1" 404 NoSuchKey 538 - 28 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36" - 47411d8baafa8cced757f771442e08849454857df58a341bfbcdf5bc22ea7be8 simplified-guide [18/Feb/2019:05:43:34 +0000] 112.120.201.145 - 64BED33D9CCEB6B7 WEBSITE.GET.OBJECT favicon.ico "GET /favicon.ico HTTP/1.1" 404 NoSuchKey 539 - 14 - "http://simplified-guide.s3-website.us-east-1.amazonaws.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36" - 47411d8baafa8cced757f771442e08849454857df58a341bfbcdf5bc22ea7be8 simplified-guide [18/Feb/2019:05:43:43 +0000] 112.120.201.145 - 560BDDE0527AC26F WEBSITE.GET.OBJECT oseems.png "GET /oseems.png HTTP/1.1" 200 - 31397 31397 12 11 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36" -
To monitor access to your S3 buckets, you can enable Server access logging. This feature records details of each request made to your bucket and its objects. These logs help you understand who accessed your data and when.
Storing these logs in a separate, private S3 bucket is recommended. This ensures that your access logs are secure and available for analysis when needed.
Steps to log access to AWS S3 bucket and website:
- Create a private S3 bucket to store the access logs if you don't already have one.
Related: How to create private AWS S3 bucket
- Go to S3 section in your AWS Console.
Related: AWS S3 Management Console
- Click on the S3 bucket that you want to log the access to.
- Click on the Properties tab.
- Scroll down to the Server access logging section and click on the Edit button.
- Click on the Enable radio button.
- Click on the Browse S3 button.
- Select the private S3 bucket to store the logs.
- Select path if available and click on Choose path to confirm the selected destination.
The logs will be stored in the root path of the bucket if no path is available and/or selected.
- Click on the Save changes button to implement the access logging changes.
- Go back to the AWS S3 dashboard.
Related: AWS S3 Management Console
- Click on the public bucket with the access logging configured.
- Click on any object in the bucket.
- Click on the URL in the Object URL section to simulate object access.
- Go back to the S3 dashboard.
Related: AWS S3 Management Console
- Click on the bucket that was configured to store the logs.
- Click on any of the generated log files.
The log files are not generated and made available in real-time, so there will be some delay from accessing the objects and for the logs to be available.
- Click on the Download button.
- Save the log file or open using your preferred text editor for analysis.

Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.