Logging and monitoring in Amazon S3
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon S3 and your Amazon solutions. We recommend collecting monitoring data from all of the parts of your Amazon solution so that you can more easily debug a multipoint failure if one occurs. Before you start monitoring Amazon S3, create a monitoring plan that includes answers to the following questions:
-
What are your monitoring goals?
-
What resources will you monitor?
-
How often will you monitor these resources?
-
What monitoring tools will you use?
-
Who will perform the monitoring tasks?
-
Who should be notified when something goes wrong?
For more information about logging and monitoring in Amazon S3, see the following topics.
Note
For more information about using the Amazon S3 Express One Zone storage class with directory buckets, see S3 Express One Zone and Working with directory buckets.
Monitoring is an important part of maintaining the reliability, availability, and performance of Amazon S3 and your Amazon solutions. You should collect monitoring data from all of the parts of your Amazon solution so that you can more easily debug a multi-point failure if one occurs. Amazon provides several tools for monitoring your Amazon S3 resources and responding to potential incidents.
- Amazon CloudWatch Alarms
Using Amazon CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon SNS topic or Amazon Auto Scaling policy. CloudWatch alarms do not invoke actions because they are in a particular state. Rather the state must have changed and been maintained for a specified number of periods. For more information, see Monitoring metrics with Amazon CloudWatch.
- Amazon CloudTrail Logs
CloudTrail provides a record of actions taken by a user, role, or an Amazon service in Amazon S3. Using the information collected by CloudTrail, you can determine the request that was made to Amazon S3, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see Logging Amazon S3 API calls using Amazon CloudTrail.
- Amazon GuardDuty
-
Amazon GuardDuty is a threat detection service that continuously monitors your accounts, containers, workloads, and the data within your Amazon environment to identify potential threats or security risks to your S3 buckets. GuardDuty also provides rich context about the threats that it detects. GuardDuty monitors Amazon CloudTrail management logs for threats and surfaces security relevant information. For example, GuardDuty will include factors of an API request, such as the user that made the request, the location the request was made from, and the specific API requested, that could be unusual in your environment. GuardDuty S3 Protection monitors the S3 data events collected by CloudTrail and identifies potentially anomalous and malicious behavior in all the S3 buckets in your environment.
- Amazon S3 Access Logs
Server access logs provide detailed records about requests that are made to a bucket. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. For more information, see Logging requests with server access logging.
- Amazon Trusted Advisor
Trusted Advisor draws upon best practices learned from serving hundreds of thousands of Amazon customers. Trusted Advisor inspects your Amazon environment and then makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. All Amazon customers have access to five Trusted Advisor checks. Customers with a Business or Enterprise support plan can view all Trusted Advisor checks.
Trusted Advisor has the following Amazon S3-related checks:
Logging configuration of Amazon S3 buckets.
Security checks for Amazon S3 buckets that have open access permissions.
Fault tolerance checks for Amazon S3 buckets that don't have versioning enabled, or have versioning suspended.
For more information, see Amazon Trusted Advisor in the Amazon Web Services Support User Guide.
The following security best practices also address logging and monitoring:
Topics
- Monitoring tools
- Logging options for Amazon S3
- Logging Amazon S3 API calls using Amazon CloudTrail
- Logging requests with server access logging
- Monitoring metrics with Amazon CloudWatch
- Amazon S3 Event Notifications
- Assessing your storage activity and usage with Amazon S3 Storage Lens
- Cataloging and analyzing your data with S3 Inventory