CloudTrail log file examples for S3 Express One Zone
A CloudTrail log file includes information about the requested API operation, the date and time of the operation, request parameters, and so on. This topic features examples for CloudTrail data events and management events for S3 Express One Zone.
CloudTrail data event log file examples for Amazon S3 Express One Zone
The following example shows a CloudTrail log file example that demonstrates CreateSession.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", "arn": "arn:aws:sts::111122223333assumed-role/RoleToBeAssumed/MySessionName", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIDPPEZS35WEXAMPLE", "arn": "arn:aws:iam::111122223333:role/RoleToBeAssumed", "accountId": "111122223333", "userName":"RoleToBeAssumed}, "attributes": { "creationDate": "2024-07-02T00:21:16Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-07-02T00:22:11Z", "eventSource": "s3express.amazonaws.com", "eventName": "CreateSession", "awsRegion": "us-west-2", "sourceIPAddress": "72.21.198.68", "userAgent": "aws-sdk-java/2.20.160-SNAPSHOT Linux/5.10.216-225.855.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/11.0.23+9-LTS Java/11.0.23 vendor/Amazon.com_Inc. md/internal exec-env/AWS_Lambda_java11 io/sync http/Apache cfg/retry-mode/standard", "requestParameters": { "bucketName":"bucket-base-name--usw2-az1--x-s3". "host":"bucket-base-name--usw2-az1--x-s3.s3express-usw2-az1.us-west-2.amazonaws.com", "x-amz-create-session-mode": "ReadWrite" }, "responseElements": { "credentials": { "accessKeyId": "AKIAI44QH8DHBEXAMPLE" "expiration": ""Mar 20, 2024, 11:16:09 PM", "sessionToken": "<session token string>" }, }, "additionalEventData": { "SignatureVersion": "SigV4", "cipherSuite": "TLS_AES_128_GCM_SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "xAmzId2": "q6xhNJYmhg", "bytesTransferredOut": 1815, "availabilityZone": "usw2-az1" }, "requestID": "28d2faaf-3319-4649-998d-EXAMPLE72818", "eventID": "694d604a-d190-4470-8dd1-EXAMPLEe20c1", "readOnly": true, "resources": [ { "type": "AWS::S3Express::Object", "ARNPrefix": "arn:aws:s3express:us-west-2:111122223333:bucket-base-name--usw2-az1--x-s3" }, { "accountId": "111122223333" "type": "AWS::S3Express::DirectoryBucket", "ARN": "arn:aws:s3express:us-west-2:111122223333:bucket-base-name--usw2-az1--x-s3" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "bucket-base-name--usw2-az1--x-s3.s3express-usw2-az1.us-west-2.amazonaws.com" } }
To use Zonal endpoint API operations (object-level, or data plane, operations), you can
use the CreateSession API operation to create and manage sessions that are
optimized for low-latency authorization of data requests. You can also use
CreateSession to reduce the amount of logging. To identify which Zonal
API operations were performed during a session, you can match the
accessKeyId under the responseElements in your
CreateSession log file to the accessKeyId in the log file
of other Zonal API operations. For more information, see CreateSession authorization.
The following example shows a CloudTrail log file example that demonstrates the GetObject API operation that was authenticated by CreateSession.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", "arn": "arn:aws:sts::111122223333assumed-role/RoleToBeAssumed/MySessionName", "accountId": "111122223333", "accessKeyId": "AKIAI44QH8DHBEXAMPLE", "sessionContext": { "attributes": { "creationDate": "2024-07-02T00:21:49Z" } } }, "eventTime": "2024-07-02T00:22:01Z", "eventSource": "s3express.amazonaws.com", "eventName": "GetObject", "awsRegion": "us-west-2", "sourceIPAddress": "72.21.198.68", "userAgent": "aws-sdk-java/2.25.66 Linux/5.10.216-225.855.amzn2.x86_64 OpenJDK_64-Bit_Server_VM/17.0.11+9-LTS Java/17.0.11 vendor/Amazon.com_Inc. md/internal exec-env/AWS_Lambda_java17 io/sync http/Apache cfg/retry-mode/legacy", "requestParameters": { "bucketName":"bucket-base-name--usw2-az1--x-s3", "x-amz-checksum-mode": "ENABLED", "Host":"bucket-base-name--usw2-az1--x-s3.s3express-usw2-az1.us-west-2.amazonaws.com", "key": "test-get-obj-with-checksum" }, "responseElements": null, "additionalEventData": { "SignatureVersion": "Sigv4", "CipherSuite": "TLS_AES_128_GCM_SHA256", "bytesTransferredIn": 0, "AuthenticationMethod": "AuthHeader", "x-amz-id-2": "oOy6w8K7LFsyFN", "bytesTransferredOut": 9, "availabilityZone": "usw2-az1", "sessionModeApplied": "ReadWrite" }, "requestID": "28d2faaf-3319-4649-998d-EXAMPLE72818", "eventID": "694d604a-d190-4470-8dd1-EXAMPLEe20c1", "readOnly": true, "resources": [ { "type": "AWS::S3Express::Object", "ARNPrefix": "arn:aws:s3express:us-west-2:111122223333:bucket-base-name--usw2-az1--x-s3" }, { "accountId": "111122223333", "type": "AWS::S3Express::DirectoryBucket", "ARN": "arn:aws:s3express:us-west-2:111122223333:bucket-base-name--usw2-az1--x-s3" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "bucket-base-name--usw2-az1--x-s3.s3express-usw2-az1.us-west-2.amazonaws.com" } }
In the GetObject log file example above, the
accessKeyId(AKIAI44QH8DHBEXAMPLE) matches the accessKeyId under
the responseElements in the CreateSession log file example. The matching
accessKeyId indicates the session in which GetObject operation
was performed.
