Why didn't my Amazon S3 server access logs get delivered to my bucket?

Short description

When you turn on server access logging for the first time or change the destination bucket for logs, the changes take time to implement. Amazon S3 might not log delivery requests within the first hour after you turn on logging. Also, Amazon S3 might deliver logs to the previous destination bucket within the first hour after you change the destination bucket.

After you change the logging configuration, wait at least 1 hour before you verify logs. For more information, see Best-effort server log delivery.

Make sure that the source and destination buckets are in the same AWS Region and the same AWS account owns the buckets. Also, if you turned on Requester Pays for the destination bucket, then turn it off.

If you still don't see logs in the destination bucket, then use the following troubleshooting to resolve the issue.

Resolution

Check whether the log delivery group has access to the destination bucket

Amazon S3 uses a log delivery group to deliver server access logs to the destination bucket. To receive server access logs, you must grant the logging service principal access to your destination bucket.

To grant access to the destination bucket, create an S3 bucket policy. You can use an access control list (ACL) to grant access to the destination bucket. However, it's a best practice to use ACLs only when you must individually control access for each object.

Grant access through a bucket policy

Update the bucket policy to grant the s3:PutObject permission to the logging service principal.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ServerAccessLogsPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "logging.s3.amazonaws.com"
            },
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::DOC-EXAMPLE-DESTINATION-BUCKET/EXAMPLE-LOGGING-PREFIX*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:::DOC-EXAMPLE-SOURCE-BUCKET"
                },
                "StringEquals": {
                    "aws:SourceAccount": "SOURCE-ACCOUNT-ID"
                }
            }
        }
    ]
}

Grant access through a bucket ACL

Add a grant entry to the bucket ACL that grants write permissions to the S3 log delivery group.

To modify the destination bucket's ACL, complete the following steps:

1. Open the Amazon S3 console.
2. In the Buckets list, select the destination bucket.
3. Choose the Permissions tab.
4. In the Access control list (ACL) section, choose Edit.
5. Under S3 log delivery group, select Objects - Write.
6. Under S3 log delivery group, select Bucket ACL - Write.
7. Choose Save changes.

Verify that the destination bucket's policy doesn't deny access to the logs

Check the destination bucket's policy for statements that contain "Effect": "Deny". If the policy has Deny statements, then verify that the Deny statements don't prevent write access to the bucket.

Note: It's a best practice to use a separate bucket for server access logs. Buckets are private by default, so you don't need to use a Deny statement in the bucket policy to prevent unauthorized access to the bucket.

Confirm that you turned off Amazon S3 Object Lock for the destination bucket

Make sure that you turned off Object Lock for the destination bucket. When you turn on Object Lock, Amazon S3 can't deliver server access logs.

Check that you selected SSE-S3 as the encryption key

If you use default encryption on the destination bucket, then confirm that you selected server-side encryption with Amazon S3 managed keys (SSE-S3) for encryption. Server log delivery doesn't support server-side encryption with AWS Key Management Service (AWS KMS) keys. To configure default encryption, see Configuring default encryption.