Posted On: Nov 14, 2022

Amazon S3 server access logs and AWS CloudTrail logs will soon contain information to identify S3 requests that rely upon an access control list (ACL) for authorization to succeed. This feature, which will be activated over the next few weeks, will provide you with information that will simplify the process of adopting the S3 security best practice of disabling ACLs.

Amazon S3 launched in 2006 with access control lists as the way to grant access to S3 buckets and objects. Since 2011, Amazon S3 has also supported AWS Identity and Access Management (IAM) policies. Today, the majority of use cases in Amazon S3 no longer require ACLs, and instead are more securely and scalably achieved with IAM policies. We therefore recommend disabling ACLs as a security best practice. The new information we are adding to Amazon S3 server access logs and AWS CloudTrail will allow you to discover any existing applications or access patterns that rely on ACLs for access to your data, so that you can migrate those permissions to IAM policies before you disable ACLs on your S3 bucket.

This feature will be available in all AWS Regions, including the AWS GovCloud (US) Regions and the AWS China Regions. AWS CloudTrail usage charges and Amazon S3 charges for storing and accessing the log files apply. Once the feature is activated for all AWS Regions, we will publish a blog post demonstrating how to use this new feature. To learn more, visit the user guide for Amazon S3 server access log and AWS CloudTrail.