View a markdown version of this page

Log format in CloudWatch Logs - Amazon Simple Storage Service

Log format in CloudWatch Logs

When Amazon S3 server access logs are delivered to Amazon CloudWatch Logs, each log record is a structured JSON object. This is different from the space-delimited text format used for delivery to an Amazon S3 general purpose bucket. The structured format makes fields directly queryable in CloudWatch Logs Insights without regex parsing.

Note

For the space-delimited text format used for general purpose bucket delivery, see Amazon S3 server access log format.

Log record fields

The following table describes the fields in each server access log record delivered to CloudWatch Logs.

Server access log fields in CloudWatch Logs
Field Type Description
schema_version_id string Version identifier for the log record schema (for example, V_1_0). Use this field to detect schema changes when new fields are added in future versions.
bucket_arn string ARN of the source bucket.
bucket_name string Name of the bucket that the request was made to. Derived from the bucket ARN.
request_time string Time the request was received, in UTC. Formatted as ISO 8601 (yyyy-MM-dd'T'HH:mm:ss.SSS'Z'). In the S3 Tables integration (Iceberg), this field is stored as timestamptz.
bucket_owner_id string Canonical user ID of the owner of the source bucket.
remote_ip string Apparent IP address of the requester. Defaults to null if not available.
requester string Canonical user ID of the requester, or null for unauthenticated requests. For IAM users and roles, this is the ARN.
request_id string Unique identifier generated by Amazon S3 for each request. Defaults to null if not available.
operation string The operation that was performed, for example REST.GET.OBJECT or REST.PUT.OBJECT. Defaults to null if not available.
key_name string Object key in the request, or null if the operation does not involve an object.
request_uri string The Request-URI part of the HTTP request message, or null if not available.
http_status int Numeric HTTP status code of the response, for example 200 or 403. Defaults to null if not available.
error_code string Amazon S3 error code, for example NoSuchKey or AccessDenied, or null if no error occurred.
bytes_sent_size long Number of response bytes sent, excluding HTTP protocol overhead. Defaults to null if not available.
object_size long Total size of the object. Defaults to null if not available.
total_duration long Total time of the request from the time the request was received to the last byte of the response sent, in milliseconds. Defaults to null if not available.
turn_around_duration long Time Amazon S3 spent processing the request, in milliseconds. This value is measured from the time the last byte of the request was received until the time the first byte of the response was sent. Defaults to null if not available.
referer string Value of the HTTP Referer header, or null if not present.
user_agent string Value of the HTTP User-Agent header. Defaults to null if not available.
version_id string Version ID in the request, or null if the operation does not involve a versioned object.
host_id string Amazon S3 extended request ID (x-amz-id-2). Defaults to null if not available.
signature_version string Signature version used to authenticate the request: SigV2 or SigV4. Defaults to null for unauthenticated requests.
cipher_suite string TLS cipher suite negotiated for HTTPS requests, or null for HTTP.
authentication_type string Type of request authentication: AuthHeader, QueryString, or null.
host_header string Endpoint used to connect to Amazon S3. Defaults to null if not available.
tls_version string TLS version negotiated by the client: TLSv1.1, TLSv1.2, TLSv1.3, or null.
access_point_arn string ARN of the access point used for the request, or null if the request did not use an access point.
acl_required boolean Whether an ACL was required for the request. Defaults to null when not applicable.
source_region string AWS Region from which the request originated, or null when the origin Region cannot be determined (such as PrivateLink connections, Direct Connect connections, Bring your own IP addresses (BYOIP), or non-AWS IP addresses) or when the log is generated by operations triggered based on customer-set policies or actions, such as lifecycle and checksum.

Sample log record

The following is an example of a server access log record as it appears in CloudWatch Logs.

{ "schema_version_id": "V_1_0", "bucket_arn": "arn:aws:s3:::my-data-bucket", "bucket_name": "my-data-bucket", "request_time": "2026-04-29T14:32:16.000Z", "bucket_owner_id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "remote_ip": "203.0.113.45", "requester": "arn:aws:iam::123456789012:role/DataAnalystRole", "request_id": "3E57427F33A59F07", "operation": "REST.GET.OBJECT", "key_name": "reports/2026/quarterly-summary.parquet", "request_uri": "GET /my-data-bucket/reports/2026/quarterly-summary.parquet HTTP/1.1", "http_status": 200, "error_code": null, "bytes_sent_size": 1048576, "object_size": 1048576, "total_duration": 45, "turn_around_duration": 12, "referer": null, "user_agent": "aws-sdk-java/2.20.0", "version_id": null, "host_id": "s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234=", "signature_version": "SigV4", "cipher_suite": "TLS_AES_128_GCM_SHA256", "authentication_type": "AuthHeader", "host_header": "my-data-bucket.s3.us-east-1.amazonaws.com", "tls_version": "TLSv1.3", "access_point_arn": null, "acl_required": false, "source_region": "us-east-1" }

Differences from general purpose bucket log format

The CloudWatch Logs log format differs from the general purpose bucket log format in the following ways:

  • Format – CloudWatch Logs logs are structured JSON objects. General purpose bucket logs are space-delimited text.

  • Field names – The CloudWatch Logs format uses descriptive underscore-separated field names (for example, bytes_sent_size, total_duration, key_name, authentication_type). The general purpose bucket format is positional space-delimited text with no named columns.

  • Additional fields – The CloudWatch Logs format includes schema_version_id and bucket_arn, which are not present in the general purpose bucket text format.

  • No parsing required – Because CloudWatch Logs logs are structured JSON, you can query individual fields directly in CloudWatch Logs Insights without regex parsing. The general purpose bucket text format requires a regex or custom parser to extract fields.