← All posts
2 min read

Inspect S3 server access logging status

#aws#cli#s3#storage#observability
📑 On this page

Part 62 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

get-bucket-logging shows whether server access logging is configured and where logs should be delivered.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

aws s3api get-bucket-logging --bucket "$BUCKET"

A successful configuration command may return no output. Treat inspection as a separate required step.

Inspect the result

aws s3api get-bucket-logging \
  --bucket "$BUCKET" \
  --query "LoggingEnabled.{TargetBucket:TargetBucket,TargetPrefix:TargetPrefix}" \
  --output table

An empty response means logging is not enabled.

One tiny variation

LOG_BUCKET=$(aws s3api get-bucket-logging \
  --bucket "$BUCKET" \
  --query "LoggingEnabled.TargetBucket" \
  --output text)
echo "$LOG_BUCKET"

Capture the destination name for a separate policy and retention review.

Common mistake

A configured destination does not prove logs are arriving. Inspect the destination prefix and its write policy as separate checks.

Cleanup

# This lesson does not require an additional persistent resource.
aws s3api head-bucket --bucket "$BUCKET"

Keep the shared demo bucket for the next lesson, or remove only the configuration and objects created here.

Next, we will learn Enable Requester Pays on an S3 bucket.

Official AWS CLI reference