Amazon CloudWatch Events
User Guide

Tutorial: Log S3 Object Level Operations Using CloudWatch Events

You can log the object level API operations on your Amazon S3 buckets. Before Amazon CloudWatch Events can match these events, you must use AWS CloudTrail to set up a trail configured to receive these events.

Step 1: Configure your CloudTrail trail

To log data events for an Amazon S3 bucket to CloudTrail and CloudWatch Events, create a trail. A trail captures API calls and related events in your account and delivers the log files to an Amazon S3 bucket that you specify. You can update an existing trail or create a new one.

To create a trail

  1. Open the CloudTrail console at

  2. In the navigation pane, choose Trails.

  3. choose Add new trail

  4. For Trail name, type a name for the trail.

  5. For Data events, type the bucket name and prefix (optional). For each trail, you can add up to 250 Amazon S3 objects.

    • To log data events for all Amazon S3 objects in a bucket, specify an S3 bucket and an empty prefix. When an event occurs on an object in that bucket, the trail processes and logs the event.

    • To log data events for specific Amazon S3 objects, specify an Amazon S3 bucket and the object prefix. When an event occurs on an object in that bucket and the object starts with the specified prefix, the trail processes and logs the event.

  6. For each resource, specify whether you want to log Read-only, Write-only, or All events.

  7. For Storage location, create or choose an existing Amazon S3 bucket to designate for log file storage.

  8. Choose Create.

For more information, see Data Events in the AWS CloudTrail User Guide.

Step 2: Create a Lambda Function

Create a Lambda function to log data events for your S3 buckets. You'll specify this function when you create your rule.

To create a Lambda function

  1. Open the AWS Lambda console at

  2. If you are new to Lambda, you see a welcome page; choose Get Started Now; otherwise, choose Create a Lambda function.

  3. On the Select blueprint page, type hello for the filter, and then choose the hello-world blueprint.

  4. On the Configure triggers page, choose Next.

  5. On the Configure function page, do the following:

    1. Type a name and description for the Lambda function. (For example, name the function "LogS3DataEvents".)

    2. Edit the code for the Lambda function. For example:

      'use strict'; exports.handler = (event, context, callback) => { console.log('LogS3DataEvents'); console.log('Received event:', JSON.stringify(event, null, 2)); callback(null, 'Finished'); };
    3. For Role, choose Choose an existing role and then choose your basic execution role from Existing role. Otherwise, create a new basic execution role.

    4. Choose Next.

  6. On the Review page, choose Create function.

Step 3: Create a Rule

Create a rule to run your Lambda function in response to an S3 data event.

To create a rule

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Events.

  3. Choose Create rule.

  4. For Event source, do the following:

    1. Choose Event Pattern.

    2. Choose Build event pattern to match events by service.

    3. Choose Simple Storage Service (S3) and then choose Object Level Operations.

    4. Choose Specific operation(s) and then choose PutObject.

    5. By default, the rule matches data events for all buckets in the region. To match data events for specific buckets, choose Specify bucket(s) by name and then specify one or more buckets.

                            The Event selector pane
  5. For Targets, choose Add target, and then choose Lambda function.

  6. For Function, select the Lambda function that you created.

  7. Choose Configure details.

  8. For Rule definition, type a name and description for the rule.

  9. Choose Create rule.

Step 4: Test the Rule

To test the rule, put an object in your S3 bucket. You can verify that your Lambda function was invoked.

To view the logs for your Lambda function

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Logs.

  3. Choose the name of the log group for your Lambda function (/aws/lambda/function-name).

  4. Choose the name of log stream to view the data provided by the function for the instance you launched.

You can also check the contents of your CloudTrail logs in the S3 bucket that you specified for your trail. For more information, see Getting and Viewing Your CloudTrail Log Files in the AWS CloudTrail User Guide.