• FAQ
  • Amazon S3

Amazon S3

Once logging is enabled for a bucket, available log records are aggregated into log files and delivered to you via an Amazon S3 bucket of your choosing on an hourly basis.

Logging Setup

  • Using Qloudstat Choose to Edit a configuration. On the edit page you can toggle access log delivery using Enable Logging button. Note that your changes are applied instantaneously.

  • Using Cyberduck Follow the instructions to enable bucket logging and choosing a target bucket for access logs on the Cyberduck Help Wiki. Cyberduck also provides a convenient feature to add an IAM user to your AWS account that Qloudstat can use to read your access logs.

  • Using the AWS Console Log into the AWS Console and choose Properties for the bucket you want configure access logs to be delivered. Set the target bucket and prefix for AWS to deliver log files to:

    • The logging target should be another S3 bucket than the origin. Otherwise your report will include requests for log files delivered by Amazon and download requests for log files.
    • Use a different logging target bucket for every S3 bucket. Or at least choose a different logging target prefix. This will help Qloudstat to fetch your log files more efficiently.

Authentication for Qloudstat

You can find a fine grained IAM policy snippet preconfigured with your bucket names when editing your configuration.

  • Authentication for Qloudstat with IAM Read Only Policy Template The access key and secret are preferrably the credentials of a dedicated IAM user created to give Qloudstat access to your account. Please use the AWS Console to create an IAM user with grants provided to access your log files.

    Follow these steps to create a new IAM user:

    • Choose Create New Users in the IAM Console.
    • Make sure the checkbox Generate an access key for each User is selected.
    • After creating the user, select Show User Security Credentials.
    • Copy the Access Key Id and Secret Access Key to paste here.
    • Select the newly created user in the list and choose the Permissions tab.
    • Select Attach User Policy.
    • From Select Policy Template choose Amazon S3 Read Only Access and click Apply Policy.
  • Authentication for Qloudstat with IAM Custom Policy Alternatively you can set up a more restrictive custom policy with the following document:

    {
        "Statement": [
            {
                "Action": [
                    "s3:ListAllMyBuckets",
                    "s3:GetBucketLogging",
                    "s3:GetBucketLocation"
                ],
                "Effect": "Allow",
                "Resource": "arn:aws:s3:::*"
            },
            {
                "Action": [
                    "s3:ListBucket"
                ],
                "Condition": {
                    "Bool": { "aws:SecureTransport": "true" },
                    "StringLike" : {"s3:prefix":["*"]}
                },
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "s3:GetObject"
                ],
                "Condition": {
                    "Bool": { "aws:SecureTransport": "true" }
                },
                "Effect": "Allow",
                "Resource": "*"
            }
        ]
    }

    Replace loggingtargetbucket with the name of your logging target bucket.

    More information can be found in the AWS Reference.

Log File Delivery Interval

Log files are delivered to the target logging bucket on an hourly basis.

Supported Dimensions & Metrics

Refer to the list of Dimensions and Metrics

Purge Log Files

You can find a IAM policy snippet preconfigured with your bucket names when editing your configuration. Add the following statement to your existing IAM policy:

{
    "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::*"
    }
    ]
}