How can I audit deleted or missing objects from my Amazon S3 bucket?

Last updated: 2019-11-19

There's an object or file that's missing from my Amazon Simple Storage Service (Amazon S3) bucket. Where can I find information about how the object or file was deleted? How can I prevent future accidental deletions? 

Resolution

To find out how an S3 object was deleted, you can review either server access logs or AWS CloudTrail logs.

Note: Logging must be enabled on the bucket prior to the deletion event. You receive logs only for events that occurred after logging was enabled.

Server access logs track S3 operations performed manually or as part of a lifecycle configuration. To enable server access logging, see How Do I Enable Server Access Logging for an S3 Bucket? For more information on how to analyze server access logs, see How do I analyze my Amazon S3 server access logs using Athena?

CloudTrail logs can track object-level data events in an S3 bucket, such as GetObject, DeleteObject, and PutObject. To enable CloudTrail logs for object-level events, see How Do I Enable Object-Level Logging for an S3 Bucket with AWS CloudTrail Data Events? For more information on how to find specific events, see I enabled object-level logging for my Amazon S3 bucket. Where can I find the events in the CloudTrail event history?

Note: By default, CloudTrail records bucket-level events. To get logs for object-level operations like GetObject, DeleteObject, and PutObject, you must configure object-level logging. Object-level logging incurs additional charges, so be sure to review the pricing for CloudTrail data events.

To prevent or mitigate future accidental deletions, consider the following features:


Did this article help you?

Anything we could improve?


Need more help?