Amazon CloudWatch Events
User Guide

Tutorial: Log S3 Object Level Operations Using CloudWatch Events

You can log the object level API operations on your Amazon S3 buckets. Before Amazon CloudWatch Events can match these events, you must use AWS CloudTrail to set up a trail configured to receive these events.

Step 1: Create an Event Selector

To log data events for an S3 bucket to CloudTrail and CloudWatch Events, configure an event selector. You can add an event selector to an existing trail, or you can create a trail and then add a selector. For more information, see Data Events in the AWS CloudTrail User Guide.

To create a trail

  1. Open the CloudTrail console at

  2. In the navigation pane, choose Trails.

  3. (Optional) If you do not have a trail, you can create one.

    1. Choose Add new trail.

    2. For Trail name, type a name for the trail.

    3. For S3 bucket, type the name for the new bucket where CloudTrail will deliver logs.

    4. Choose Create.

  4. Choose the name of the trail.

  5. Choose the pencil icon next to Event selectors (Optional).

  6. For Data events, select one or more S3 buckets to monitor. To log only the data events for the buckets, choose No for Management events.

  7. Choose Save.

Step 2: Create a Lambda Function

Create a Lambda function to log data events for your S3 buckets. You'll specify this function when you create your rule.

To create a Lambda function

  1. Open the AWS Lambda console at

  2. If you are new to Lambda, you see a welcome page; choose Get Started Now; otherwise, choose Create a Lambda function.

  3. On the Select blueprint page, type hello for the filter, and then choose the hello-world blueprint.

  4. On the Configure triggers page, choose Next.

  5. On the Configure function page, do the following:

    1. Type a name and description for the Lambda function. (For example, name the function "LogS3DataEvents".)

    2. Edit the code for the Lambda function. For example:

      'use strict'; exports.handler = (event, context, callback) => { console.log('LogS3DataEvents'); console.log('Received event:', JSON.stringify(event, null, 2)); callback(null, 'Finished'); };
    3. For Role, choose Choose an existing role and then choose your basic execution role from Existing role. Otherwise, create a new basic execution role.

    4. Choose Next.

  6. On the Review page, choose Create function.

Step 3: Create a Rule

Create a rule to run your Lambda function in response to an S3 data event.

To create a rule

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Events.

  3. Choose Create rule.

  4. For Event source, do the following:

    1. Choose Event Pattern.

    2. Choose Build event pattern to match events by service.

    3. Choose Simple Storage Service (S3) and then choose Object Level Operations.

    4. Choose Specific operation(s) and then choose PutObject.

    5. By default, the rule matches data events for all buckets in the region. To match data events for specific buckets, choose Specify bucket(s) by name and then specify one or more buckets.

                            The Event selector pane
  5. For Targets, choose Add target, and then choose Lambda function.

  6. For Function, select the Lambda function that you created.

  7. Choose Configure details.

  8. For Rule definition, type a name and description for the rule.

  9. Choose Create rule.

Step 4: Test the Rule

To test the rule, put an object in your S3 bucket. You can verify that your Lambda function was invoked.

To view the logs for your Lambda function

  1. Open the CloudWatch console at

  2. In the navigation pane, choose Logs.

  3. Choose the name of the log group for your Lambda function (/aws/lambda/function-name).

  4. Choose the name of log stream to view the data provided by the function for the instance you launched.

You can also check the contents of your CloudTrail logs in the S3 bucket that you specified for your trail. For more information, see Getting and Viewing Your CloudTrail Log Files in the AWS CloudTrail User Guide.