AWS S3 bucket logs vs AWS cloudtrail

CloudTrail tracks API access for infrastructure-changing events, in S3 this means creating, deleting, and modifying bucket (S3 CloudTrail docs). It is very focused on API methods that modify buckets.

S3 Server Access Logging provides web server-style logging of access to the objects in an S3 bucket. This logging is granular to the object, includes read-only operations, and includes non-API access like static web site browsing.


AWS has added one more functionality since this question was asked, namely CloudTrail Data events

Currently there are 3 features available:

  1. CloudTrail: Which logs almost all API calls at Bucket level Ref
  2. CloudTrail Data Events: Which logs almost all API calls at Object level Ref
  3. S3 server access logs: Which logs almost all (best effort server logs delivery) access calls to S3 objects. Ref

Now, 2 and 3 seem similar functionalities but they have some differences which may prompt users to use one or the other or both(in our case)! Below are the differences which I could find:

  • Both works at different levels of granularity. e.g. CloudTrail data events can be set for all the S3 buckets for the AWS account or just for some folder in S3 bucket. Whereas, S3 server access logs would be set at individual bucket level
  • The S3 server access logs seem to give more comprehensive information about the logs like BucketOwner, HTTPStatus, ErrorCode, etc. Full list

Information which is not available in Cloudtrail logs but is available in Server Access logs. Reference:

  • Fields for Object Size, Total Time, Turn-Around Time, and HTTP Referer for log records
  • Life cycle transitions, expiration, restores
  • Logging of keys in a batch delete operation
  • Authentication failures
  • CloudTrail does not deliver logs for requests that fail authentication (in which the provided credentials are not valid). However, it does include logs for requests in which authorization fails (AccessDenied) and requests that are made by anonymous users.
  • If a request is made by a different AWS Account, you will see the CloudTrail log in your account only if the bucket owner owns or has full access to the object in the request. If that is not the case, the logs will only be seen in the requester account. The logs for the same request will however be delivered in the server access logs of your account without any additional requirements.

AWS Support recommends that decisions can be made using CloudTrail logs and if you need that additional information too which is not available in CloudTrail logs, you can then use Server access logs.