Posted On: Dec 19, 2022

Amazon S3 server access logs and Amazon CloudTrail logs will soon contain information to identify S3 requests that rely upon an access control list (ACL) for authorization to succeed. This feature, which will be activated over the next few weeks, will provide you with information that will simplify the process of adopting the S3 security best practice of disabling ACLs.

Amazon S3 launched in 2006 with access control lists as the way to grant access to S3 buckets and objects. Since 2011, Amazon S3 has also supported Amazon Identity and Access Management (IAM) policies. Today, the majority of use cases in Amazon S3 no longer require ACLs, and instead are more securely and scalably achieved with IAM policies. We therefore recommend disabling ACLs as a security best practice. The new information we are adding to Amazon S3 server access logs and Amazon CloudTrail will allow you to discover any existing applications or access patterns that rely on ACLs for access to your data, so that you can migrate those permissions to IAM policies before you disable ACLs on your S3 bucket.

This feature will be available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. Amazon CloudTrail usage charges and Amazon S3 charges for storing and accessing the log files apply. Once the feature is activated, we will publish a blog post demonstrating how to use this new feature. To learn more, visit the user guide for Amazon S3 server access log and Amazon CloudTrail.