HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/lib/python3/dist-packages/awscli/examples/s3api/
Upload Files
File: //usr/lib/python3/dist-packages/awscli/examples/s3api/put-bucket-logging.rst
**Example 1: To set bucket policy logging**

The following ``put-bucket-logging`` example sets the logging policy for *MyBucket*. First, grant the logging service principal permission in your bucket policy using the ``put-bucket-policy`` command. ::

    aws s3api put-bucket-policy \
        --bucket MyBucket \
        --policy file://policy.json

Contents of ``policy.json``::

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "S3ServerAccessLogsPolicy",
                "Effect": "Allow",
                "Principal": {"Service": "logging.s3.amazonaws.com"},
                "Action": "s3:PutObject",
                "Resource": "arn:aws:s3:::MyBucket/Logs/*",
                "Condition": {
                    "ArnLike": {"aws:SourceARN": "arn:aws:s3:::SOURCE-BUCKET-NAME"},
                    "StringEquals": {"aws:SourceAccount": "SOURCE-AWS-ACCOUNT-ID"}
                }
            }
        ]
    }

To apply the logging policy, use ``put-bucket-logging``. ::

    aws s3api put-bucket-logging \
        --bucket MyBucket \
        --bucket-logging-status file://logging.json

Contents of ``logging.json``::

   {
        "LoggingEnabled": {
            "TargetBucket": "MyBucket",
            "TargetPrefix": "Logs/"
        }
    }

.. Note:: The ``put-bucket-policy`` command is required to grant ``s3:PutObject`` permissions to the logging service principal.

For more information, see `Amazon S3 Server Access Logging <https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html>`__ in the *Amazon S3 User Guide*.

**Example 2: To set a bucket policy for logging access to only a single user**

The following ``put-bucket-logging`` example sets the logging policy for *MyBucket*. The AWS user *bob@example.com* will have full control over
the log files, and no one else has any access. First, grant S3 permission with ``put-bucket-acl``. ::

    aws s3api put-bucket-acl \
        --bucket MyBucket \
        --grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery \
        --grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery

Then apply the logging policy using ``put-bucket-logging``. ::

    aws s3api put-bucket-logging \
        --bucket MyBucket \
        --bucket-logging-status file://logging.json

Contents of ``logging.json``::

    {
        "LoggingEnabled": {
            "TargetBucket": "MyBucket",
            "TargetPrefix": "MyBucketLogs/",
            "TargetGrants": [
                {
                    "Grantee": {
                        "Type": "AmazonCustomerByEmail",
                        "EmailAddress": "bob@example.com"
                    },
                    "Permission": "FULL_CONTROL"
                }
            ]
        }
    }

.. Note:: the ``put-bucket-acl`` command is required to grant S3's log delivery system the necessary permissions (write and read-acp permissions).

For more information, see `Amazon S3 Server Access Logging <https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html>`__ in the *Amazon S3 Developer Guide*.
@ Telegram