# Monitoring and logging access points
<a name="access-points-monitoring-logging"></a>

Amazon S3 logs requests made through access points and requests made to the API operations that manage access points, such as `CreateAccessPoint` and `GetAccessPointPolicy`. To monitor and manage usage patterns, you can also configure Amazon CloudWatch Logs request metrics for access points. 

**Topics**
+ [CloudWatch request metrics](#request-metrics-access-points)
+ [Amazon CloudTrail logs for requests made through access points](#logging-access-points)

## CloudWatch request metrics
<a name="request-metrics-access-points"></a>

To understand and improve the performance of applications that are using access points, you can use CloudWatch for Amazon S3 request metrics. Request metrics help you monitor Amazon S3 requests to quickly identify and act on operational issues. 

By default, request metrics are available at the bucket level. However, you can define a filter for request metrics using a shared prefix, object tags, or an access point. When you create an access point filter, the request metrics configuration includes requests to the access point that you specify. You can receive metrics, set alarms, and access dashboards to view real-time operations performed through this access point. 

You must opt in to request metrics by configuring them in the console or by using the Amazon S3 API. Request metrics are available at 1-minute intervals after some latency for processing. Request metrics are billed at the same rate as CloudWatch custom metrics. For more information, see [Amazon CloudWatch pricing](https://www.amazonaws.cn/cloudwatch/pricing/).

To create a request metrics configuration that filters by access point, see [Creating a metrics configuration that filters by prefix, object tag, or access point](metrics-configurations-filter.md). 

## Amazon CloudTrail logs for requests made through access points
<a name="logging-access-points"></a>

You can log requests made through access points and requests made to the APIs that manage access points, such as `CreateAccessPoint` and `GetAccessPointPolicy,` by using server access logging and Amazon CloudTrail. 



CloudTrail log entries for requests made through access points include the access point ARN in the `resources` section of the log.

For example, suppose you have the following configuration: 
+ A bucket named *`amzn-s3-demo-bucket1`* in Region *`us-west-2`* that contains an object named *`my-image.jpg`*
+ An access point named *`my-bucket-ap`* that is associated with *`amzn-s3-demo-bucket1`*
+ An Amazon Web Services account ID of *`123456789012`*

The following example shows the `resources` section of a CloudTrail log entry for the preceding configuration:

```
"resources": [
        {"type": "AWS::S3::Object",
            "ARN": "arn:aws-cn:s3:::amzn-s3-demo-bucket1/my-image.jpg"
        },
        {"accountId": "123456789012",
            "type": "AWS::S3::Bucket",
            "ARN": "arn:aws-cn:s3:::amzn-s3-demo-bucket1"
        },
        {"accountId": "123456789012",
            "type": "AWS::S3::AccessPoint",
            "ARN": "arn:aws-cn:s3:us-west-2:123456789012:accesspoint/my-bucket-ap"
        }
    ]
```

If you are using an access point attached to a volume on an Amazon FSx file system, the `resources` section of a CloudTrail log entry will look different. For example:

```
"resources": [
        {
            "accountId": "123456789012",
            "type": "AWS::FSx::Volume",
            "ARN": "arn:aws-cn:fsx:us-east-1:123456789012:volume/fs-0123456789abcdef9/fsvol-01234567891112223"
        }
    ]
```

For more information about S3 Server Access Logs, see [Logging requests with server access logging](ServerLogs.md). For more information about Amazon CloudTrail, see [What is Amazon CloudTrail?](https://docs.amazonaws.cn/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) in the *Amazon CloudTrail User Guide*.