My YouTube Channel

Blogs by Jay Tillu

How to Detect Suspicious S3 Activity Using Access Logs

Jay Tillu's photo
Jay Tillu
·

4 min read

Table of contents

It was a quiet Tuesday morning when Arjun, a security engineer, got an alert: someone tried to access a sensitive file in his S3 bucket — but he had no clue who.

That’s when he realized he hadn't turned on S3 Access Logs.

Let’s walk through what S3 Access Logs are, how they work, why they matter for the AWS SAA exam, and how they saved Arjun’s day.

🔍 What Are S3 Access Logs?

S3 Access Logs record every single request made to an S3 bucket. Whether the request was:

  • Authorized

  • Denied

  • Successful 📥

  • Failed 🚫

…it’s all logged.

And those logs are stored as files in a separate S3 bucket — which Arjun can now analyze using tools like Amazon Athena, CloudWatch Logs, or third-party SIEMs.

🎯 Why Use S3 Access Logs?

Access Logs help you:

  • 🔍 Audit who accessed your data

  • 🛡️ Detect unauthorized access attempts

  • 🧾 Maintain compliance (ISO 27001, SOC2, etc.)

  • 📊 Analyze usage patterns for billing or optimization

For Arjun’s company — where compliance and security were top priorities — Access Logs became non-negotiable.

🏗️ How It Works (Behind the Scenes)

Here’s what happens under the hood:

  1. A request is made to your S3 bucket (e.g., uploading, reading, deleting).

  2. AWS generates a log entry with details like:

    • Request time

    • Source IP

    • Request type (GET, PUT, etc.)

    • Response status

    • User-Agent, and more

  3. That log is stored as a text file in another designated logging bucket.

⚠️ Arjun’s Mistake: A Logging Loop Nightmare

Arjun, in a hurry, made a rookie mistake:
He set the logging bucket to be the same as the bucket he was monitoring.

💣 Big mistake.

This created a logging loop:
Each new log file triggered another log entry, which generated another log, and so on...

Result? 📈 Exploding storage costs. Endless logs. Major headaches.

🧠 Lesson:
NEVER set the monitored bucket and logging bucket to be the same.

🌐 AWS Region Requirement

Sneha also learned that:

🎯 The logging bucket must be in the same AWS region as the source bucket.

Otherwise, the logs simply won't work.

🔍 What Do Access Logs Look Like?

Each log entry is a plain text line with fields like:

vbnetCopyEdit79a5cEXAMPLE mybucket [28/May/2025:15:00:00 +0000] 192.0.2.3 requester-id REST.GET.OBJECT image.jpg "GET /image.jpg HTTP/1.1" 200 - 123456789 20 - "Mozilla/5.0" -

You can use Amazon Athena to query this data using SQL and track usage across buckets.

💡 AWS provides the full Access Log Format documentation here

🧠 AWS SAA Exam Tip

You may get a question like:

"How can you log all access requests to an S3 bucket, including denied requests?"

Correct Answer: Enable S3 Server Access Logging
✅ Logs all access (authorized or denied)
✅ Stored in another S3 bucket
❌ Do NOT use the same bucket to avoid logging loops

✅ Summary: What Arjun Learned

  • S3 Access Logs help audit access and improve security

  • They must log into a different bucket in the same region

  • You can analyze them using Athena or similar tools

  • Common SAA exam topic related to security and monitoring

More AWS SAA Articles

Follow me for more such content