Menu
Amazon Simple Storage Service
Console User Guide

How Do I Configure Amazon S3 Inventory?

Amazon S3 inventory provides a flat file list of your objects and metadata, which is a scheduled alternative to the Amazon S3 synchronous List API operation. Amazon S3 inventory provides comma-separated values (CSV) or Apache optimized row columnar (ORC) output files that list your objects and their corresponding metadata on a daily or weekly basis for an S3 bucket or for objects that share a prefix (objects that have names that begin with the same string). For more information, see Amazon S3 Inventory in the Amazon Simple Storage Service Developer Guide.

To configure inventory

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the Bucket name list, choose the name of the bucket for which you want to configure Amazon S3 inventory.

    
          Screenshot of the bucket name list with a bucket name highlighted.
  3. Choose the Management tab, and then choose Inventory.

    
          Screenshot of the inventory button on the management tab.
  4. Choose Add new if you do not have any inventory reports enabled.

    
          Screenshot highlighting the add new link in inventory reports.
  5. Type a name for the inventory and set it up as follows:

    • Optionally, add a prefix for your filter to inventory only objects whose names begin with the same string.

    • Choose the destination bucket where you want reports to be saved. The destination bucket must be in the same AWS Region as the bucket for which you are setting up the inventory. The destination bucket can be in a different AWS account.

    • Optionally, choose a prefix for the destination bucket.

    • Choose how frequently to generate the inventory.

    
          Screenshot showing the boxes to complete when setting up a new inventory.
  6. Under Advanced settings, you can set the following:

    1. Choose either the CSV or ORC output file format for your inventory. For more information about these formats, see Amazon S3 Inventory in the Amazon Simple Storage Service Developer Guide.

      
              Advanced settings screen with include only current versions selected
    2. To include all versions of the objects in the inventory, choose Include all versions in the Object versions list. By default, the inventory includes only the current versions of the objects.

    3. For Optional fields, select one or more of the following to add to the inventory report:

      • Size – Object size in bytes.

      • Last modified date – Object creation date or the last modified date, whichever is the latest.

      • Storage class – Storage class used for storing the object.

      • ETag – The entity tag is a hash of the object. The ETag reflects changes only to the contents of an object, and not its metadata. The ETag may or may not be an MD5 digest of the object data. Whether it is depends on how the object was created and how it is encrypted.

      • Replication status – The cross-region replication status of the object. For more information, see How Do I Add a Cross-Region Replication (CRR) Rule to an S3 Bucket?

      • Encryption status – The server-side encryption used to encrypt the object. For more information, see Protecting Data Using Server-Side Encryption in the Amazon Simple Storage Service Developer Guide.

      For more information about the contents of an inventory report, see What's Included in an Amazon S3 Inventory? in the Amazon Simple Storage Service Developer Guide.

    4. For Encryption, choose a server-side encryption option to encrypt the inventory report, or choose None:

      • None – Do not encrypt the inventory report.

      • AES-256 – Encrypt the inventory report using server-side encryption with Amazon S3-managed keys (SSE-S3). Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard (AES-256). For more information, see Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon Simple Storage Service Developer Guide.

      • AWS-KMS – Encrypt the report using server-side encryption with AWS KMS-managed keys (SSE-KMS). For more information, see AWS KMS–Managed Keys (SSE-KMS) in the Amazon Simple Storage Service Developer Guide.

        Note

        To encrypt the inventory list file with SSE-KMS, you must grant Amazon S3 permission to use the AWS KMS key. For instructions, see Grant Amazon S3 Permission to Encrypt Using Your AWS KMS Key.

  7. Choose Save.

Destination Bucket Policy

Amazon S3 creates a bucket policy on the destination bucket that grants Amazon S3 write permission. This allows Amazon S3 to write data for the inventory reports to the bucket.

If an error occurs when you try to create the bucket policy, you are given instructions on how to fix it. For example, if you choose a destination bucket in another AWS account and don't have permissions to read and write to the bucket policy, you see the following message.


        A message showing that inventory is successfully saved and another showing a bucket
          policy error.

In this case, the destination bucket owner must add the displayed bucket policy to the destination bucket. If the policy is not added to the destination bucket, you won’t get an inventory report because Amazon S3 doesn’t have permission to write to the destination bucket. If the source bucket is owned by a different account than that of the current user, the correct account ID of the source bucket must be substituted in the policy.

For more information, see Amazon S3 Inventory in the Amazon Simple Storage Service Developer Guide.

Grant Amazon S3 Permission to Encrypt Using Your AWS KMS Key

You must grant Amazon S3 permission to encrypt using your AWS KMS key with a key policy. The following procedure describes how to use the AWS Identity and Access Management (IAM) console to modify the key policy for the AWS KMS customer master key (CMK) that is being used to encrypt the inventory file.

To grant permissions to encrypt using your AWS KMS key

  1. Sign in to the AWS Management Console using the AWS account that owns the AWS KMS CMK. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the left navigation pane, choose Encryption keys.

  3. For Region, choose the appropriate AWS Region. Do not use the region selector in the navigation bar (upper-right corner).

  4. Choose the alias of the CMK that you want to encrypt inventory with.

  5. In the Key Policy section of the page, choose Switch to policy view.

  6. Using the Key Policy editor, insert following key policy into the existing policy and then choose Save Changes. You might want to copy the policy to the end of the existing policy.

    Copy
    { "Sid": "Allow Amazon S3 use of the key", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*" ], "Resource": "*" }

For more information about creating and editing AWS KMS CMKs, see Getting Started in the AWS Key Management Service Developer Guide.

More Info

Storage Management