S3 server access logging is a feature AWS introduced for providing detailed records on what requests are made to an Amazon S3 bucket. This will be really helpful in many scenarios for all of us including security monitoring, troubleshooting, etc.
Recently to meet regulatory compliance standards for one of our clients, we came to a point where we need to enable S3 server access logging for all the accounts that are not enabled currently.
Upon checking the AWS account almost 100 S3 buckets where found and we don’t know which one has S3 server access logging enabled or which one doesn’t have this.
Checking this manually and enabling them one by one is a time-consuming and very boring process. So we came up with a Python script to check if the bucket has this enabled or not and if it is not enabled the script will automatically enable this for us.
Key points of the script
- The script will list the S3 Buckets in the AWS account.
- The script will check for S3 server access logging status.
- If this is not enabled the script will enable this for us.
- The script will print a message like Enabled for the newly enabled ones and Already Enabled for the already enabled buckets along with its name.
The script is attached below.
import boto3
client = boto3.client('s3')
list = client.list_buckets()
for buckets in list['Buckets']:
bucket_name = buckets['Name']
try:
log = client.get_bucket_logging(
Bucket = bucket_name
)
if 'LoggingEnabled' not in log:
client.put_bucket_logging(
Bucket=bucket_name,
BucketLoggingStatus={
'LoggingEnabled': {
'TargetBucket': '<Name of the bucket where you need to store this logs>',
'TargetPrefix': f'access-logs/{bucket_name}/'
}
}
)
logging_status = "Enabled"
else:
logging_status = "Already enabled"
except Exception as e:
logging_status = "Error"
print(f"Bucket Name: {bucket_name}, Access Logging: {logging_status}")Testing the script
Now we are going to test this script.
Here I have 3 S3 buckets accesslog-test-1, accesslog-test-2, and accesslog-test-log. First bucket accesslog-test-1 has server access logging enabled and the bucket accesslogs-test-logs is used to store these access logs for the bucket.
Lets run the script. I have configured an AWS profile named accesslog-test.
Let's export the profile first and then run our script.
Now the script has updated the server access logging for the rest of the buckets and one which already had is shown as Already enabled.
You can either check them via console or you can run the script again to check if it is enabled or not.
That’s all thank you ❤
Effortlessly manage S3 bucket logging! Use our Python script to check and enable S3 server access logging across multiple AWS accounts. Simplify compliance and security monitoring. Learn more at SupportSages
