|
Server : Apache System : Linux iad1-shared-b8-43 6.6.49-grsec-jammy+ #10 SMP Thu Sep 12 23:23:08 UTC 2024 x86_64 User : dh_edsupp ( 6597262) PHP Version : 8.2.26 Disable Function : NONE Directory : /lib/python3/dist-packages/awscli/examples/s3api/ |
Upload File : |
**Example 1: To set bucket policy logging**
The following ``put-bucket-logging`` example sets the logging policy for *MyBucket*. First, grant the logging service principal permission in your bucket policy using the ``put-bucket-policy`` command. ::
aws s3api put-bucket-policy \
--bucket MyBucket \
--policy file://policy.json
Contents of ``policy.json``::
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ServerAccessLogsPolicy",
"Effect": "Allow",
"Principal": {"Service": "logging.s3.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MyBucket/Logs/*",
"Condition": {
"ArnLike": {"aws:SourceARN": "arn:aws:s3:::SOURCE-BUCKET-NAME"},
"StringEquals": {"aws:SourceAccount": "SOURCE-AWS-ACCOUNT-ID"}
}
}
]
}
To apply the logging policy, use ``put-bucket-logging``. ::
aws s3api put-bucket-logging \
--bucket MyBucket \
--bucket-logging-status file://logging.json
Contents of ``logging.json``::
{
"LoggingEnabled": {
"TargetBucket": "MyBucket",
"TargetPrefix": "Logs/"
}
}
.. Note:: The ``put-bucket-policy`` command is required to grant ``s3:PutObject`` permissions to the logging service principal.
For more information, see `Amazon S3 Server Access Logging <https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html>`__ in the *Amazon S3 User Guide*.
**Example 2: To set a bucket policy for logging access to only a single user**
The following ``put-bucket-logging`` example sets the logging policy for *MyBucket*. The AWS user *bob@example.com* will have full control over
the log files, and no one else has any access. First, grant S3 permission with ``put-bucket-acl``. ::
aws s3api put-bucket-acl \
--bucket MyBucket \
--grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery \
--grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery
Then apply the logging policy using ``put-bucket-logging``. ::
aws s3api put-bucket-logging \
--bucket MyBucket \
--bucket-logging-status file://logging.json
Contents of ``logging.json``::
{
"LoggingEnabled": {
"TargetBucket": "MyBucket",
"TargetPrefix": "MyBucketLogs/",
"TargetGrants": [
{
"Grantee": {
"Type": "AmazonCustomerByEmail",
"EmailAddress": "bob@example.com"
},
"Permission": "FULL_CONTROL"
}
]
}
}
.. Note:: the ``put-bucket-acl`` command is required to grant S3's log delivery system the necessary permissions (write and read-acp permissions).
For more information, see `Amazon S3 Server Access Logging <https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html>`__ in the *Amazon S3 Developer Guide*.