AWS access logging is not enabled on S3 buckets


Access logging provides detailed audit logging for all objects and folders in an S3 bucket.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Lo gin to the AWS Management Console at
  2. Open the Amazon S3 console.
  3. Navigate to the Bucket name list.
  4. To enable server access logging for a bucket, select the name of the bucket.
  5. Click Properties.
  6. Click Server access logging.
  7. Click Enable Logging.

📘 Notes

  • For the target, select the name of the bucket that you want to receive the log record objects.
  • The target bucket must be in the same Region as the source bucket and must not have a default retention period configuration.
  1. Click Save.
CLI Command

The example below sets the logging policy for MyBucket.
The AWS user will have full control over the log files, no one else has any access.

` ` `python S3 logging

First, grant S3 permission with put-bucket-acl:

aws s3api put-bucket-acl –bucket MyBucket –grant-write URI= –grant-read-acp URI=

Then apply the logging policy:

aws s3api put-bucket-logging –bucket MyBucket –bucket-logging-status file://logging.json

logging.json is a JSON document in the current folder that contains the logging policy:

{ “LoggingEnabled”: { “TargetBucket”: “MyBucket”, “TargetPrefix”: “MyBucketLogs/”, “TargetGrants”: [ { “Grantee”: { “Type”: “AmazonCustomerByEmail”, “EmailAddress”: “” }, “Permission”: “FULL_CONTROL” } ] } }

# Fix – Buildtime

## Terraform

– **Resource:** aws_s3_bucket, aws_s3_bucket_logging


+ resource “aws_s3_bucket_logging” “example” {

+ bucket = +

+ target_bucket =

+ target_prefix = “log/”

+ }
