Sign In to the Console
Amazon Simple Storage Service
Console User Guide

AWS Documentation » Amazon Simple Storage Service (S3) » Console User Guide » Creating and Configuring an S3 Bucket » How Do I Enable Object-Level Logging for an S3 Bucket with AWS CloudTrail Data Events?

How Do I Enable Object-Level Logging for an S3 Bucket with AWS CloudTrail Data Events?

This section describes how to enable an AWS CloudTrail trail to log data events for objects in an S3 bucket by using the Amazon S3 console. CloudTrail supports logging Amazon S3 object-level API operations such as GetObject, DeleteObject, and PutObject. These events are called data events. By default, CloudTrail trails don't log data events, but you can configure trails to log data events for S3 buckets that you specify, or to log data events for all the Amazon S3 buckets in your AWS account.

Important

Additional charges apply for data events. For more information, see AWS CloudTrail Pricing.

To configure a trail to log data events for an S3 bucket, you can use either the AWS CloudTrail console or the Amazon S3 console. If you are configuring a trail to log data events for all the Amazon S3 buckets in your AWS account, it's easier to use the CloudTrail console. For information about using the CloudTrail console to configure a trail to log S3 data events, see Data Events in the AWS CloudTrail User Guide.

The following procedure shows how to use the Amazon S3 console to enable a CloudTrail trail to log data events for an S3 bucket.

To enable CloudTrail data events logging for objects in an S3 bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.

  2. In the Bucket name list, choose the name of the bucket that you want.

    Screenshot showing a bucket in the bucket name list.

  3. Choose Properties.

    List of tabs in S3 console with the Properties tab selected.

  4. Choose Object-level logging.

    Object-level logging screen.

  5. Choose an existing CloudTrail trail in the drop-down menu. The trail you select must be in the same AWS Region as your bucket, so the drop-down list contains only trails that are in the same Region as the bucket or trails that were created for all Regions.

    If you need to create a trail, choose the CloudTrail console link to go to the CloudTrail console. For information about how to create trails in the CloudTrail console, see Creating a Trail with the Console in the AWS CloudTrail User Guide.

    Choosing a CloudTrail trail in the Object level logging dialog box.

  6. Under Events, select Read to specify that you want CloudTrail to log Amazon S3 read APIs such as GetObject. Select Write to log Amazon S3 write APIs such as PutObject. Select both Read and Write to log both read and write object APIs. For a list of supported data events that CloudTrail logs for Amazon S3 objects, see Amazon S3 Object-Level Actions Tracked by CloudTrail Logging in the Amazon Simple Storage Service Developer Guide.

    Object-level logging dialog box with read and write selected.

  7. Choose Create to enable object-level logging for the bucket.

    Object-level logging dialog box dialog box displaying Enabled.

    To disable object-level logging for the bucket, you must go to the CloudTrail console and remove the bucket name from the trail's Data events.

    Note

    If you use the CloudTrail console or the Amazon S3 console to configure a trail to log data events for an S3 bucket, the Amazon S3 console shows that object-level logging is enabled for the bucket.

For information about enabling object-level logging when you create an S3 bucket, see How Do I Create an S3 Bucket?.

More Info

On this page: