Setup S3 Server Access Logs

S3 Server Access Logging can be setup for the S3 bucket in which your data will be stored (this bucket is of the form <installation_name>.datacoral). While this bucket is in your AWS account and is completely under your control, setting up these logs will provided detailed records on every request made to this bucket, which is useful for auditing purposes.

Using the AWS Console

Following the instructions here to setup S3 access logs for your data bucket that was created by Datacoral.

Using the AWS CLI

First, create a new bucket in which to save the S3 Access Logs. Ideally, this S3 Bucket will have been configured to not allow any deletes and should be in a separate AWS account.

Next, run the following commands to grant S3 permissions on this audit logs bucket using the put-bucket-acl command:

aws s3api put-bucket-acl \
--bucket <audit-logs-bucket> \
--grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery \
--grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

Finally, run the following command to apply the logging policy on the data bucket created by Datacoral.

aws s3api put-bucket-logging \
--bucket <installationName>.datacoral \
--bucket-logging-status file://logging.json

Here, the file logging.json contains information about the S3 bucket in which to save the audit logs and under which prefix to save the logs. It looks like the following:

{
"LoggingEnabled": {
"TargetBucket": "<audit-logs-bucket>",
"TargetPrefix": "<s3-logs-prefix>/"
}
}