I have two buckets, one named A and another named logs. I went to the permissions page for A and enabled service logging, and set the target to logs bucket. According to the AWS documentation, this should enable logging.
Amazon S3 uses a special log delivery account, called the Log Delivery
group, to write access logs. These writes are subject to the usual
access control restrictions. You must grant the Log Delivery group
write permission on the target bucket by adding a grant entry in the
bucket's access control list (ACL). If you use the Amazon S3 console
to enable logging on a bucket, the console both enables logging on the
source bucket and updates the ACL on the target bucket to grant write
permission to the Log Delivery group.
I let the buckets sit for hours before uploading a file to A, but I see no logs anywhere. Did I understand the above paragraph wrong and have to generate a bucket policy for logs? Or is there something else I'm missing?
Best Answer
This part of reference is wrong.
"If you use the Amazon S3 console to enable logging on a bucket, the console both enables logging on the source bucket and updates the ACL on the target bucket to grant write permission to the Log Delivery group."
It can't guaranty that it always updates the ACL on the target bucket successfully. If you logging target is in "Block public access to buckets and objects granted through new access control lists (ACLs)", update will fail. So your logging bucket won't work as expected.
You should check logging bucket. Go to Permissions, check if "S3 log delivery group" is enabled in Public Access.