You have content stored in S3 that is accessible to other people, and you would like to find out who is accessing it and when.
Server Access Logging can be enabled on any S3 bucket and will record information in log files each time data in the bucket is accessed. The log files themselves are also stored in an S3 bucket. You can store the logs in the same bucket you are logging or in another bucket, but the logged bucket and the destination bucket must be in the same S3 location.
Once logging is enabled, log files will start to appear in the
logging destination bucket. You can specify a prefix string
that will be prepended to all log file names to make it easier to
identify specific logs.
Logs are generated on a best-effort basis, so there is no guarantee that every access will be logged. If you require an absolute guarantee, you will need to devise a more deterministic approach.
Example 3-8. Enable Logging on an Existing Bucket
import boto
def enable_logging(bucket_name,
log_bucket_name,
log_prefix=None):
"""
Enable logging on a bucket.
bucket_name Bucket to be logged.
log_bucket_name Bucket where logs will be written.
log_prefix A string which will be prepended to all log file names.
"""
s3 = boto.connect_s3()
bucket = s3.lookup(bucket_name)
log_bucket = s3.lookup(log_bucket_name)
# First configure log bucket as a log target.
# This sets permissions on the bucket to allow S3 to write logs.
log_bucket.set_as_logging_target()
# Now enable logging on the bucket and tell S3
# where to deliver the logs.
bucket.enable_logging(log_bucket, target_prefix=log_prefix)
def disable_logging(bucket_name):
"""
Disable logging on a bucket.
bucket_name Bucket that will no longer be logged.
"""
s3 = boto.connect_s3()
bucket = s3.lookup(bucket_name)
bucket.disable_logging()