Amazon Simple Storage Service
开发人员指南 (API Version 2006-03-01)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

以编程方式启用日志记录

您可以使用 Amazon S3 API 或 AWS 开发工具包,以编程方式启用或禁用日志记录。为此,请同时在存储桶上启用日志记录并向日志传输组授予向目标存储桶写入日志的权限。

启用日志记录

要启用日志记录,请提交 PUT Bucket 日志记录请求以在源存储桶上添加日志记录配置。该请求指定目标存储桶,以及要用于所有日志对象键的前缀 (可选)。以下示例将 logbucket 标识为目标存储桶,将 logs/ 标识为前缀。

Copy
<BucketLoggingStatus xmlns="http://doc.s3.amazonaws.com/2006-03-01"> <LoggingEnabled> <TargetBucket>logbucket</TargetBucket> <TargetPrefix>logs/</TargetPrefix> </LoggingEnabled> </BucketLoggingStatus>

日志对象由日志传输账户编写和拥有,存储桶拥有者获得对日志对象的完全权限。此外,您还可以选择向其他用户授予权限,以便他们可以访问日志。有关更多信息,请参阅 PUT Bucket 日志记录

Amazon S3 还提供 GET Bucket 日志记录 API,用于检索存储桶上的日志记录配置。要删除日志记录配置,请发送 <BucketLoggingStatus> 为空的 PUT Bucket 日志记录请求。

Copy
<BucketLoggingStatus xmlns="http://doc.s3.amazonaws.com/2006-03-01"> </BucketLoggingStatus>

您可以使用 Amazon S3 API 或 AWS 开发工具包包装程序库在存储桶上启用日志记录。

向日志传输组授予 WRITE 和 READ_ACP 权限

Amazon S3 作为预定义 Amazon S3 日志传输组的成员,向目标存储桶写入日志文件。这些写入受常规的访问控制限制。您需要通过向目标存储桶的访问控制列表 (ACL) 添加授权,向此组授予 s3:GetObjectAcl and s3:PutObject 权限。日志传输组由以下 URL 表示。

Copy
http://acs.amazonaws.com/groups/s3/LogDelivery

要授予 WRITE 和 READ_ACP 权限,您必须添加以下授权。有关 ACL 的信息,请参阅使用 ACL 管理访问

Copy
<Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"> <URI>http://acs.amazonaws.com/groups/s3/LogDelivery</URI> </Grantee> <Permission>WRITE</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group"> <URI>http://acs.amazonaws.com/groups/s3/LogDelivery</URI> </Grantee> <Permission>READ_ACP</Permission> </Grant>

有关使用 AWS 开发工具包以编程方式添加 ACL 授权的示例,请参阅使用AWS SDK for Java管理 ACL使用适用于 .NET 的 AWS 开发工具包管理 ACL

示例:适用于 .NET 的 AWS 开发工具包

以下 C# 示例在存储桶上启用日志记录。您需要创建两个存储桶 (源存储桶和目标存储桶)。该示例首先向日志传输组授予向目标存储桶写入日志的所需权限,然后在源存储桶上启用日志记录。有关更多信息,请参阅 以编程方式启用日志记录。有关如何创建和测试有效示例的说明,请参阅 运行 Amazon S3 .NET 代码示例

Copy
using System; using Amazon.S3; using Amazon.S3.Model; namespace s3.amazon.com.docsamples { class ServerAccesLogging { static string sourceBucket = "*** Provide bucket name ***"; // On which to enable logging. static string targetBucket = "*** Provide bucket name ***"; // Where access logs can be stored. static string logObjectKeyPrefix = "Logs"; static IAmazonS3 client; public static void Main(string[] args) { using (client = new AmazonS3Client(Amazon.RegionEndpoint.USEast1)) { Console.WriteLine("Enabling logging on source bucket..."); try { // Step 1 - Grant Log Delivery group permission to write log to the target bucket. GrantLogDeliveryPermissionToWriteLogsInTargetBucket(); // Step 2 - Enable logging on the source bucket. EnableDisableLogging(); } catch (AmazonS3Exception amazonS3Exception) { if (amazonS3Exception.ErrorCode != null && (amazonS3Exception.ErrorCode.Equals("InvalidAccessKeyId") || amazonS3Exception.ErrorCode.Equals("InvalidSecurity"))) { Console.WriteLine("Check the provided AWS Credentials."); Console.WriteLine( "To sign up for service, go to http://aws.amazon.com/s3"); } else { Console.WriteLine( "Error occurred. Message:'{0}' when enabling logging", amazonS3Exception.Message); } } } Console.WriteLine("Press any key to continue..."); Console.ReadKey(); } static void GrantLogDeliveryPermissionToWriteLogsInTargetBucket() { S3AccessControlList bucketACL = new S3AccessControlList(); GetACLResponse aclResponse = client.GetACL(new GetACLRequest { BucketName = targetBucket }); bucketACL = aclResponse.AccessControlList; bucketACL.AddGrant(new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" }, S3Permission.WRITE); bucketACL.AddGrant(new S3Grantee { URI = "http://acs.amazonaws.com/groups/s3/LogDelivery" }, S3Permission.READ_ACP); PutACLRequest setACLRequest = new PutACLRequest { AccessControlList = bucketACL, BucketName = targetBucket }; client.PutACL(setACLRequest); } static void EnableDisableLogging() { S3BucketLoggingConfig loggingConfig = new S3BucketLoggingConfig { TargetBucketName = targetBucket, TargetPrefix = logObjectKeyPrefix }; // Send request. PutBucketLoggingRequest putBucketLoggingRequest = new PutBucketLoggingRequest { BucketName = sourceBucket, LoggingConfig = loggingConfig }; PutBucketLoggingResponse response = client.PutBucketLogging(putBucketLoggingRequest); } } }