Inspect S3 server access logging status
📑 On this page
Part 62 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.
What we are learning
get-bucket-logging shows whether server access logging is configured and where logs should be delivered.
Before you run it
aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.
The command
aws s3api get-bucket-logging --bucket "$BUCKET"A successful configuration command may return no output. Treat inspection as a separate required step.
Inspect the result
aws s3api get-bucket-logging \
--bucket "$BUCKET" \
--query "LoggingEnabled.{TargetBucket:TargetBucket,TargetPrefix:TargetPrefix}" \
--output tableAn empty response means logging is not enabled.
One tiny variation
LOG_BUCKET=$(aws s3api get-bucket-logging \
--bucket "$BUCKET" \
--query "LoggingEnabled.TargetBucket" \
--output text)
echo "$LOG_BUCKET"Capture the destination name for a separate policy and retention review.
Common mistake
A configured destination does not prove logs are arriving. Inspect the destination prefix and its write policy as separate checks.
Cleanup
# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.
Next, we will learn Enable Requester Pays on an S3 bucket.