S3 Access Logs record every request made to an S3 bucket — authorized or denied, from any account.

Use it for: auditing, security analysis, and tracking who accessed what and when.

How It Works

User --> request --> Monitored Bucket
                          |
                     logs the request
                          |
                          v
                    Logging Bucket (separate bucket)

Log files are delivered to the logging bucket within a few hours — not real-time.

Key Rules

• All requests are logged — successful and denied
• Logging bucket must be a different bucket from the monitored bucket
• Both buckets must be in the same region
• Logs can be analyzed using Amazon Athena (SQL queries) or downloaded manually

What Gets Logged

Each log record includes: requester account, IP address, bucket name, request time, action (GET/PUT/DELETE), response status code, and error code if any.

Critical Warning — The Logging Loop

Never set the logging bucket and the monitored bucket to be the same bucket.

What happens if you do:

You upload file --> S3 logs it --> log is a new file
--> S3 logs that --> another new file
--> S3 logs that --> another new file
--> never stops