{"id":13475,"date":"2018-02-01T15:22:37","date_gmt":"2018-02-01T11:22:37","guid":{"rendered":"http:\/\/www.msp360.com\/blog\/?p=13475"},"modified":"2024-10-02T13:27:03","modified_gmt":"2024-10-02T09:27:03","slug":"how-to-enable-and-read-amazon-s3-bucket-logs","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/how-to-enable-and-read-amazon-s3-bucket-logs\/","title":{"rendered":"How to Improve Security of S3 Buckets Using S3 Access Logs"},"content":{"rendered":"<p>Imagine the situation: you browse your Amazon S3 bucket and suddenly discover that some files are missing. Since Amazon S3 offers high durability, it leaves almost no chance for these files to disappear due to a system failure or disaster. Apparently, they were deleted by a user. How to find out who did that?<!--more--><\/p>\n<div class=\"table-of-content \">\n\t\t\t\t<p>Table of Contents<\/p>\n\t\t\t\t<ul><\/ul>\n\t\t\t\t<\/div>\n<p>Amazon S3 bucket logging can help you investigate the issue. This article will guide you through the S3 access logging configuration process.<\/p>\n<blockquote><p><strong>Important:<\/strong>\u00a0Bucket Logging should be enabled <strong>before<\/strong> the issue occurred to work as described.<\/p><\/blockquote>\n<div class=\"call-to-action\">\n<div class=\"call-to-action__left\" style=\"width: 70%;\">\n<div class=\"call-to-action__tag\">FREE WHITEPAPER<\/div>\n<div class=\"call-to-action__title\">Mastering AWS IAM for Amazon S3<\/div>\n<div class=\"call-to-action__text\">Learn how to effectively manage the security of your Amazon S3 account to protect your and your clients' data<\/div>\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-9120adb3-1267-4129-ad5a-d8f06b87d969\" data-portal=\"5442029\" data-id=\"9120adb3-1267-4129-ad5a-d8f06b87d969\"><span class=\"hs-cta-node hs-cta-9120adb3-1267-4129-ad5a-d8f06b87d969\" id=\"hs-cta-9120adb3-1267-4129-ad5a-d8f06b87d969\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/9120adb3-1267-4129-ad5a-d8f06b87d969\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-9120adb3-1267-4129-ad5a-d8f06b87d969\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/9120adb3-1267-4129-ad5a-d8f06b87d969.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div>\n<div class=\"call-to-action__right\" style=\"width: 30%;\"><img decoding=\"async\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2019\/07\/Mastering-AWS-IAM-for-Amazon-S3.png\" alt=\"WP icon\" \/><\/div>\n<\/div>\n<h2>How to Enable Amazon S3 Access Logs<\/h2>\n<p>Amazon S3 bucket logging provides detailed information on object requests and requesters even if they use your root account. First, let\u2019s enable S3 server access logging:<\/p>\n<div class=\"steps\">\n<p><var>1<\/var>On <a href=\"https:\/\/console.aws.amazon.com\/s3\/\" target=\"_blank\" rel=\"noopener noreferrer\">Amazon S3 Console<\/a> choose the bucket to enable logging<\/p>\n<p><var>2<\/var>Left click on the bucket<\/p>\n<p><var>3<\/var>Go to Properties and select <strong>Server Access Logging<\/strong><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-29064 size-full\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/s3-bucket-properties-server-access-logging.png\" alt=\"Server Access Logging\" width=\"1009\" height=\"438\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/s3-bucket-properties-server-access-logging.png 1009w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/s3-bucket-properties-server-access-logging-300x130.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/s3-bucket-properties-server-access-logging-768x333.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/s3-bucket-properties-server-access-logging-624x271.png 624w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><\/p>\n<p><var>4<\/var>Enable logging for the needed bucket. Choose a\u00a0<strong>prefix<\/strong> to distinguish your logs<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-29063 size-full\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/select-s3-bucket-for-server-access-logging.png\" alt=\"Choose prefix\" width=\"575\" height=\"599\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/select-s3-bucket-for-server-access-logging.png 575w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/02\/select-s3-bucket-for-server-access-logging-288x300.png 288w\" sizes=\"auto, (max-width: 575px) 100vw, 575px\" \/><\/p>\n<\/div>\n<blockquote><p>\u00a0For the correct operation of the Amazon S3 bucket logging Target Bucket and the main bucket should be different, but situated in the same AWS region.<\/p><\/blockquote>\n<p id=\"last\">Now logging for Amazon S3 bucket is enabled and in 24 hours logs will be available for downloading.<\/p>\n<div id=\"slidebox\"><a class=\"close\">\u00a0<\/a><!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-c825537e-9998-44be-92aa-7a0a97b055c1\" data-portal=\"5442029\" data-id=\"c825537e-9998-44be-92aa-7a0a97b055c1\"><span class=\"hs-cta-node hs-cta-c825537e-9998-44be-92aa-7a0a97b055c1\" id=\"hs-cta-c825537e-9998-44be-92aa-7a0a97b055c1\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/c825537e-9998-44be-92aa-7a0a97b055c1\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-c825537e-9998-44be-92aa-7a0a97b055c1\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/c825537e-9998-44be-92aa-7a0a97b055c1.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/div>\n<h2>How to Get Access to Amazon S3 Bucket Logs and Read Them<\/h2>\n<p>Amazon S3 Bucket Logs are simple .TXT files that can be downloaded and opened with any text editing software. The problem is when the user opens a log file in a Notepad, it looks like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-13477 size-full\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-log-content-demonstration.png\" alt=\"Amazon S3 Log File Content Demonstration\" width=\"613\" height=\"127\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-log-content-demonstration.png 613w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-log-content-demonstration-300x62.png 300w\" sizes=\"auto, (max-width: 613px) 100vw, 613px\" \/><\/p>\n<p>So, unless you\u2019ve been reading log files for a couple of months, it\u2019s relatively hard to understand who got access to the bucket and what operations were performed. Another problem is in the fact that AWS doesn\u2019t collect all log entries in one document, but creates a new .TXT file for each operation. Therefore, the user will have to download and read each file separately to monitor security.<\/p>\n<p>The solution\u00a0is to use <a href=\"https:\/\/www.msp360.com\/explorer\/windows\/\">MSP360 Explorer for Amazon S3<\/a>, which comes with a log viewer that facilitates reading.<\/p>\n<div class=\"steps\">\n<p><var>1<\/var>Right-click the bucket for which you enabled logging, choose <strong>Logging <\/strong>and then <strong>View Server Access Log<\/strong>:<img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-13478 size-full\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logging-cloudberry-explorer.png\" alt=\"Viewing Server Access Logs - CloudBerry Explorer Software Screenshot\" width=\"1305\" height=\"855\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logging-cloudberry-explorer.png 1305w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logging-cloudberry-explorer-300x197.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logging-cloudberry-explorer-768x503.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logging-cloudberry-explorer-1024x671.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logging-cloudberry-explorer-624x409.png 624w\" sizes=\"auto, (max-width: 1305px) 100vw, 1305px\" \/><\/p>\n<p><var>2<\/var>You will see a new window pane with a complete bucket log for an exact period of time. <img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-13479 size-full\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logs-reading.png\" alt=\"Reading Amazon S3 Log Files\" width=\"1673\" height=\"893\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logs-reading.png 1673w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logs-reading-300x160.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logs-reading-768x410.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logs-reading-1024x547.png 1024w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2016\/03\/amazon-s3-bucket-logs-reading-624x333.png 624w\" sizes=\"auto, (max-width: 1673px) 100vw, 1673px\" \/><\/p>\n<\/div>\n<p>The last thing is to interpret the most important parameters that will help you understand who and when got access to the objects and edited them.<\/p>\n<p><strong>Remote IP <\/strong>\u2014 shows the IP address of the user who performed the operation. Remember that proxies and firewalls can hide the actual address.<\/p>\n<p><strong>Requester <\/strong>\u2014 this is the unique ID of the user who requested the file in your bucket. If the user wasn\u2019t authorized the entry will show \u201cAnonymous\u201d, and if the user has an <a href=\"https:\/\/www.msp360.com\/resources\/blog\/assuming-an-iam-role\/\">IAM role<\/a> it will return the IAM user name and the root AWS account to which the IAM user belongs.<\/p>\n<p><strong>Operation<\/strong> \u2014 contains a list of operations performed with the file and the bucket.<\/p>\n<p><strong>Object Size <\/strong>\u2014 determines the total size of the object that was requested.<\/p>\n<p>Now, you\u2019ve enabled Amazon S3 server access logging for a certain bucket to improve account security and monitor operations performed by users during a certain period of time.<\/p>\n<p>Remember that enabling of Amazon S3 access logs doesn\u2019t protect your AWS account against fraud, so it is highly recommended to create <a href=\"https:\/\/www.msp360.com\/resources\/blog\/backup-with-iam-users\/\">IAM users<\/a> instead of providing them with root account credentials.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Imagine the situation: you browse your Amazon S3 bucket and suddenly discover that some files are missing. Since Amazon S3 offers high durability, it leaves almost no chance for these files to disappear due to a system failure or disaster. Apparently, they were deleted by a user. How to find out who did that?<\/p>\n","protected":false},"author":2,"featured_media":26989,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,885],"tags":[],"class_list":["post-13475","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-other"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/13475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=13475"}],"version-history":[{"count":5,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/13475\/revisions"}],"predecessor-version":[{"id":58699,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/13475\/revisions\/58699"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/26989"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=13475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=13475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=13475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}