CloudTrail log file entries for Amazon S3 and S3 on Outposts
Important
Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance. The automatic encryption status for S3 bucket default encryption configuration and for new object uploads is available in Amazon CloudTrail logs, S3 Inventory, S3 Storage Lens, the Amazon S3 console, and as an additional Amazon S3 API response header in the Amazon Command Line Interface and Amazon SDKs. For more information, see Default encryption FAQ.
An event represents a single request from any source and includes information about the requested API operation, the date and time of the operation, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.
Note
To view CloudTrail log file examples for Amazon S3 Express One Zone, see CloudTrail log file examples for S3 Express One Zone.
For more information, see the following examples.
Topics
Example: CloudTrail log file entry for Amazon S3
The following example shows a CloudTrail log entry that demonstrates the GET Service, PutBucketAcl, and GetBucketVersioning actions.
{ "Records": [ { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "111122223333", "arn": "arn:aws-cn:iam::111122223333:user/myUserName", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "myUserName" }, "eventTime": "2019-02-01T03:18:19Z", "eventSource": "s3.amazonaws.com.cn", "eventName": "ListBuckets", "awsRegion": "us-west-2", "sourceIPAddress": "127.0.0.1", "userAgent": "[]", "requestParameters": { "host": [ "s3.us-west-2.amazonaws.com.cn" ] }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV2", "AuthenticationMethod": "QueryString", "aclRequired": "Yes" }, "requestID": "47B8E8D397DCE7A6", "eventID": "cdc4b7ed-e171-4cef-975a-ad829d4123e8", "eventType": "AwsApiCall", "recipientAccountId": "444455556666", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.amazonaws.com" } }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "111122223333", "arn": "arn:aws-cn:iam::111122223333:user/myUserName", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "myUserName" }, "eventTime": "2019-02-01T03:22:33Z", "eventSource": "s3.amazonaws.com.cn", "eventName": "PutBucketAcl", "awsRegion": "us-west-2", "sourceIPAddress": "", "userAgent": "[]", "requestParameters": { "bucketName": "", "AccessControlPolicy": { "AccessControlList": { "Grant": { "Grantee": { "xsi:type": "CanonicalUser", "xmlns:xsi": "http://www.w3.org/2001/XMLSchema-instance", "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example" }, "Permission": "FULL_CONTROL" } }, "xmlns": "http://s3.amazonaws.com.cn/doc/2006-03-01/", "Owner": { "ID": "d25639fbe9c19cd30a4c0f43fbf00e2d3f96400a9aa8dabfbbebe1906Example" } }, "host": [ "s3.us-west-2.amazonaws.com.cn" ], "acl": [ "" ] }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-SHA", "AuthenticationMethod": "AuthHeader" }, "requestID": "BD8798EACDD16751", "eventID": "607b9532-1423-41c7-b048-ec2641693c47", "eventType": "AwsApiCall", "recipientAccountId": "111122223333", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.amazonaws.com" } }, { "eventVersion": "1.03", "userIdentity": { "type": "IAMUser", "principalId": "111122223333", "arn": "arn:aws-cn:iam::111122223333:user/myUserName", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "myUserName" }, "eventTime": "2019-02-01T03:26:37Z", "eventSource": "s3.amazonaws.com.cn", "eventName": "GetBucketVersioning", "awsRegion": "us-west-2", "sourceIPAddress": "", "userAgent": "[]", "requestParameters": { "host": [ "s3.us-west-2.amazonaws.com.cn" ], "bucketName": "DOC-EXAMPLE-BUCKET1", "versioning": [ "" ] }, "responseElements": null, "additionalEventData": { "SignatureVersion": "SigV4", "CipherSuite": "ECDHE-RSA-AES128-SHA", "AuthenticationMethod": "AuthHeader" }, "requestID": "07D681279BD94AED", "eventID": "f2b287f3-0df1-4961-a2f4-c4bdfed47657", "eventType": "AwsApiCall", "recipientAccountId": "111122223333", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.amazonaws.com" } } ] }
Example: Amazon S3 on Outposts log file entries
Amazon S3 on Outposts management events are available via Amazon CloudTrail. For more information, see Logging Amazon S3 API calls using Amazon CloudTrail. In addition, you can optionally enable logging for data events in Amazon CloudTrail.
A trail is a configuration that enables
delivery of events as log files to an S3 bucket in a Region that you specify.
CloudTrail logs for your Outposts buckets include a new field,
edgeDeviceDetails, which identifies the Outpost where the
specified bucket is located.
Additional log fields include the requested action, the date and time of the action, and the request parameters. CloudTrail log files are not an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following example shows a CloudTrail log entry that demonstrates a PutObject action on
s3-outposts.
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "111122223333", "arn": "arn:aws-cn:iam::111122223333:user/yourUserName", "accountId": "222222222222", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "userName": "yourUserName" }, "eventTime": "2020-11-30T15:44:33Z", "eventSource": "s3-outposts.amazonaws.com.cn", "eventName": "PutObject", "awsRegion": "us-east-1", "sourceIPAddress": "26.29.66.20", "userAgent": "aws-cli/1.18.39 Python/3.4.10 Darwin/18.7.0 botocore/1.15.39", "requestParameters": { "expires": "Wed, 21 Oct 2020 07:28:00 GMT", "Content-Language": "english", "x-amz-server-side-encryption-customer-key-MD5": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "ObjectCannedACL": "BucketOwnerFullControl", "x-amz-server-side-encryption": "Aes256", "Content-Encoding": "gzip", "Content-Length": "10", "Cache-Control": "no-cache", "Content-Type": "text/html; charset=UTF-8", "Content-Disposition": "attachment", "Content-MD5": "je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY", "x-amz-storage-class": "Outposts", "x-amz-server-side-encryption-customer-algorithm": "Aes256", "bucketName": "", "Key": "path/upload.sh" }, "responseElements": { "x-amz-server-side-encryption-customer-key-MD5": "DOC-EXAMPLE-BUCKET1wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "x-amz-server-side-encryption": "Aes256", "x-amz-version-id": "001", "x-amz-server-side-encryption-customer-algorithm": "Aes256", "ETag": "d41d8cd98f00b204e9800998ecf8427f" }, "additionalEventData": { "CipherSuite": "ECDHE-RSA-AES128-SHA", "bytesTransferredIn": 10, "x-amz-id-2": "29xXQBV2O+xOHKItvzY1suLv1i6A52E0zOX159fpfsItYd58JhXwKxXAXI4IQkp6", "SignatureVersion": "SigV4", "bytesTransferredOut": 20, "AuthenticationMethod": "AuthHeader" }, "requestID": "8E96D972160306FA", "eventID": "ee3b4e0c-ab12-459b-9998-0a5a6f2e4015", "readOnly": false, "resources": [ { "accountId": "222222222222", "type": "AWS::S3Outposts::Object", "ARN": "arn:aws-cn:s3-outposts:us-east-1:YYY:outpost/op-01ac5d28a6a232904/bucket/path/upload.sh" }, { "accountId": "222222222222", "type": "AWS::S3Outposts::Bucket", "ARN": "arn:aws-cn:s3-outposts:us-east-1:YYY:outpost/op-01ac5d28a6a232904/bucket/" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "444455556666", "sharedEventID": "02759a4c-c040-4758-b84b-7cbaaf17747a", "edgeDeviceDetails": { "type": "outposts", "deviceId": "op-01ac5d28a6a232904" }, "eventCategory": "Data" }