Amazon S3 CloudTrail events
Important
Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in Amazon CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the Amazon Command Line Interface and Amazon SDKs. For more information, see Default encryption FAQ.
CloudTrail is enabled on your Amazon Web Services account when you create the account. When supported event activity occurs in Amazon S3, that activity is recorded in a CloudTrail event along with other Amazon service events in Event history. You can view, search, and download recent events in your Amazon Web Services account. For more information, see Viewing Events with CloudTrail Event History.
For an ongoing record of events in your Amazon Web Services account, including events for Amazon S3, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
-
Whether the request was made with root user or IAM user credentials
-
Whether the request was made with temporary security credentials for a role or federated user
-
Whether the request was made by another Amazon Web Service
For more information, see the CloudTrail userIdentity Element.
You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 Lifecycle rules to archive or delete log files automatically. By default, your log files are encrypted by using Amazon S3 server-side encryption (SSE).
How CloudTrail captures requests made to Amazon S3
By default, CloudTrail logs S3 bucket-level API calls that were made in the last 90
days, but not log requests made to objects. Bucket-level calls include events
such as CreateBucket, DeleteBucket,
PutBucketLifecycle, PutBucketPolicy, and so on.
You can see bucket-level events on the CloudTrail console. However, you can't view
data events (Amazon S3 object-level calls) there—you must parse or query CloudTrail
logs for them.
Amazon S3 account-level actions tracked by CloudTrail logging
CloudTrail logs account-level actions. Amazon S3 records are written together with other Amazon Web Service records in a log file. CloudTrail determines when to create and write to a new file based on a time period and file size.
The tables in this section list the Amazon S3 account-level actions that are supported for logging by CloudTrail.
Amazon S3 account-level API actions tracked by CloudTrail logging appear as the following event names. The CloudTrail event names differ from the API action name. For example, DeletePublicAccessBlock is DeleteAccountPublicAccessBlock.
Amazon S3 bucket-level actions that are tracked by CloudTrail logging
By default, CloudTrail logs bucket-level actions for general purpose buckets. Amazon S3 records are written together with other Amazon service records in a log file. CloudTrail determines when to create and write to a new file based on a time period and file size.
This section lists the Amazon S3 bucket-level actions that are supported for logging by CloudTrail.
Amazon S3 bucket-level API actions tracked by CloudTrail logging appear as the following
event names. In some cases, the CloudTrail event name differs from the API action
name. For example, PutBucketLifecycleConfiguration is
PutBucketLifecycle.
In addition to these API operations, you can also use the OPTIONS object object-level action. This action is treated like a bucket-level action in CloudTrail logging because the action checks the CORS configuration of a bucket.
S3 Express One Zone bucket-level (Regional API endpoint) actions tracked by CloudTrail logging
By default, CloudTrail logs bucket-level actions for directory buckets as
management events. The eventsource for CloudTrail management events for S3 Express One Zone is
s3express.amazonaws.com.
Note
For S3 Express One Zone, CloudTrail logging of Zonal endpoint (object-level, or data plane) API operations (for example,
PutObject or GetObject) is not supported.
These following Regional endpoint API operations are logged to CloudTrail.
For more information, see Security best practices for S3 Express One Zone.
Amazon S3 object-level actions that are tracked by Amazon CloudTrail logging
You can also get CloudTrail logs for object-level Amazon S3 actions. To do this, enable data events for your S3 bucket or all buckets in your account. When an object-level action occurs in your account, CloudTrail evaluates your trail settings. If the event matches the object that you specified in a trail, the event is logged. For more information, see Enabling CloudTrail event logging for S3 buckets and objects and Logging Data Events for Trails in the Amazon CloudTrail User Guide.
Note
S3 doesn't support the delivery of CloudTrail logs to the requester or the bucket owner for VPC endpoint requests when the VPC endpoint policy denies them.
Amazon S3 object-level API actions tracked by CloudTrail logging appear as the following event names. In some cases, the CloudTrail event name differs from the API action name.
Object-level actions in cross-account scenarios
The following are special use cases involving the object-level API calls in cross-account scenarios and how CloudTrail logs are reported. CloudTrail delivers logs to the requester (the account that made the API call), except in some access denied cases where log entries are redacted or omitted. When setting up cross-account access, consider the examples in this section.
Note
The examples assume that CloudTrail logs are appropriately configured.
Example 1: CloudTrail delivers logs to the bucket owner
CloudTrail delivers logs to the bucket owner even if the bucket owner does not have permissions for the same object API operation. Consider the following cross-account scenario:
-
Account A owns the bucket.
-
Account B (the requester) tries to access an object in that bucket.
-
Account C owns the object. Account C might or might not be the same account as Account A.
Note
CloudTrail always delivers object-level API logs to the requester (Account B). In addition, CloudTrail also delivers the same logs to the bucket owner (Account A) even when the bucket owner does not own the object (Account C) or have permissions for those same API operations on that object.
Example 2: CloudTrail does not proliferate email addresses that are used in setting object ACLs
Consider the following cross-account scenario:
-
Account A owns the bucket.
-
Account B (the requester) sends a request to set an object ACL grant by using an email address. For more information about ACLs, see Access control list (ACL) overview.
The requester gets the logs along with the email information. However, the bucket owner—if they are eligible to receive logs, as in example 1—gets the CloudTrail log reporting the event. However, the bucket owner doesn't get the ACL configuration information, specifically the grantee email address and the grant. The only information that the log tells the bucket owner is that an ACL API call was made by Account B.