Amazon EventBridge
User Guide

Tutorial: Log Amazon S3 Object-Level Operations Using EventBridge

You can log the object-level API operations on your S3 buckets. Before Amazon EventBridge can match these events, you must use AWS CloudTrail to set up a trail configured to receive these events.

Step 1: Configure Your AWS CloudTrail Trail

To log data events for an S3 bucket to AWS CloudTrail and EventBridge, create a trail. A trail captures API calls and related events in your account and delivers the log files to an S3 bucket that you specify. You can update an existing trail or create one.

To create a trail

  1. Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/.

  2. In the navigation pane, choose Trails, Create trail.

  3. For Trail name, enter a name for the trail.

  4. For Data events, enter the bucket name and prefix (optional). For each trail, you can add up to 250 Amazon S3 objects.

    • To log data events for all Amazon S3 objects in a bucket, specify an S3 bucket and an empty prefix. When an event occurs on an object in that bucket, the trail processes and logs the event.

    • To log data events for specific Amazon S3 objects, choose Add S3 bucket and specify an S3 bucket and optionally the object prefix. When an event occurs on an object in that bucket and the object starts with the specified prefix, the trail processes and logs the event.

  5. For each resource, specify whether to log Read events, Write events, or both.

  6. For Storage location, create or choose an existing S3 bucket to designate for log file storage.

  7. Choose Create.

For more information, see Data Events in the AWS CloudTrail User Guide.

Step 2: Create an AWS Lambda Function

Create a Lambda function to log data events for your S3 buckets. You specify this function when you create your rule.

To create a Lambda function

  1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/.

  2. If you're new to Lambda, you see a welcome page. Choose Create a function. Otherwise, choose Create function.

  3. Choose Author from scratch.

  4. Under Author from scratch, do the following:

    1. Enter a name for the Lambda function. For example, name the function LogS3DataEvents.

    2. For Role, choose Create a custom role.

      A new window opens. Change the Role name if necessary and choose Allow.

    3. Back on the Lambda console, choose Create function.

  5. Edit the code for the Lambda function to the following and choose Save.

    'use strict'; exports.handler = (event, context, callback) => { console.log('LogS3DataEvents'); console.log('Received event:', JSON.stringify(event, null, 2)); callback(null, 'Finished'); };

Step 3: Create a Rule

Create a rule to run your Lambda function in response to an Amazon S3 data event.

To create a rule

  1. Open the Amazon EventBridge console at https://console.aws.amazon.com/events/.

  2. In the navigation pane, choose Rules.

  3. Choose Create rule.

  4. Enter a name and description for the rule.

  5. For Define pattern, do the following:

    1. Choose Event Pattern.

    2. Choose Pre-defined pattern by service.

    3. For Service provider, choose AWS.

    4. For Service Name, choose Simple Storage Service (S3).

    5. For Event type, choose Object Level Operations.

    6. Choose Specific operation(s), PutObject.

    7. By default, the rule matches data events for all buckets in the Region. To match data events for specific buckets, choose Specify bucket(s) by name and enter one or more buckets.

  6. For Select event bus, choose AWS default event bus. When an AWS service in your account emits an event, it always goes to your account’s default event bus.

  7. For Targets, choose Lambda function.

  8. For Function, select the Lambda function that you created.

  9. Choose Create.

Step 4: Test the Rule

To test the rule, put an object in your S3 bucket. You can verify that your Lambda function was invoked.

To view the logs for your Lambda function

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Logs.

  3. Select the name of the log group for your Lambda function (/aws/lambda/function-name).

  4. Select the name of the log stream to view the data provided by the function for the instance that you launched.

You can also check the contents of your CloudTrail logs in the S3 bucket that you specified for your trail. For more information, see Getting and Viewing Your CloudTrail Log Files in the AWS CloudTrail User Guide.