Why is the object name missing in CloudTrail logs for S3 DeleteObject events?

Question

I have enabled CloudTrail to log S3 bucket events for my bucket, and I have configured both read and write permissions for the bucket events so that I can log both PutObject and DeleteObject operations. However, when I upload an object, the log correctly includes the name of the file that was uploaded, but when I delete the file, the logs do not show the name of the file being deleted.

Why is the object name missing in the DeleteObject logs, and how can I ensure that the file name is included when an object is deleted in the logs?

Leo K · Answer

The object key is logged for the `DeleteObject` API call, but not for `DeleteObjects` (in plural). That's because `DeleteObjects` accepts a list of up to 1,000 objects or specific versions to delete, optionally including conditions, such as size constraints, which could exceed the 256-kilobyte maximum size of a CloudTrail event. When you delete objects via the AWS Management console, I think it always uses the `DeleteObjects` API, even when deleting a single object (or version).

To log the individual object keys being deleted, the simplest solution is to enable S3 server access logging for the bucket: https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html. It logs a separate event for each object deletion, with each event specifying only a single object key, regardless of the API used to trigger the deletion, including when an object is deleted by an S3 lifecycle rule.

The limitation of CloudTrail not recording object keys for batch deletes (meaning the `DeleteObjects` API) is mentioned in the S3 logging options comparison table: https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html.

Why is the object name missing in CloudTrail logs for S3 DeleteObject events?

Add your answer

Relevant content