How can I audit deleted or missing objects from my Amazon S3 bucket?

Resolution

To find out how an S3 object was deleted, you can review either server access logs or AWS CloudTrail logs.

Note: You must turn on logging for the bucket before the deletion event occurs. You receive logs only for events that occurred after you turned on logging.

Server access logs

Server access logs track S3 operations manually performed or as part of a lifecycle configuration. To turn on server access logging, see Enabling Amazon S3 server access logging. For more information on how to analyze server access logs, see How do I analyze my Amazon S3 server access logs using Athena?

CloudTrail logs

CloudTrail logs can track object-level data events in an S3 bucket, such as GetObject, DeleteObject, and PutObject. By default, CloudTrail records bucket-level events. To turn on CloudTrail logging for object-level events, see Enabling CloudTrail event logging for S3 buckets and objects. For more information on how to find specific events, see Why aren't Amazon S3 object-level API actions appearing in my CloudTrail Event history?

Note: Because object-level logging incurs additional charges, make sure to review the pricing for CloudTrail data events.

To prevent future accidental deletions, it's a best practice to use one of the following features:

• Turn on versioning to keep historical versions of an object.
• Turn on Cross-Region Replication of objects.
• Turn on MFA delete to require multi-factor authentication (MFA) when you delete an object version.
• Use AWS Backup to restore an object or file.
• Use S3 Object Lock to prevent the deletion of an object.