There are more AWS SDK examples available in the [AWS Doc SDK Examples](https://github.com/awsdocs/aws-doc-sdk-examples) GitHub repo.
# Use `PutBucketLogging` with an AWS SDK or CLI
The following code examples show how to use `PutBucketLogging`.
------
#### [ .NET ]
**SDK for .NET**
There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/S3#code-examples).
```
using System;
using System.IO;
using System.Threading.Tasks;
using Amazon.S3;
using Amazon.S3.Model;
using Microsoft.Extensions.Configuration;
///
/// This example shows how to enable logging on an Amazon Simple Storage
/// Service (Amazon S3) bucket. You need to have two Amazon S3 buckets for
/// this example. The first is the bucket for which you wish to enable
/// logging, and the second is the location where you want to store the
/// logs.
///
public class ServerAccessLogging
{
private static IConfiguration _configuration = null!;
public static async Task Main()
{
LoadConfig();
string bucketName = _configuration["BucketName"];
string logBucketName = _configuration["LogBucketName"];
string logObjectKeyPrefix = _configuration["LogObjectKeyPrefix"];
string accountId = _configuration["AccountId"];
// If the AWS Region defined for your default user is different
// from the Region where your Amazon S3 bucket is located,
// pass the Region name to the Amazon S3 client object's constructor.
// For example: RegionEndpoint.USWest2 or RegionEndpoint.USEast2.
IAmazonS3 client = new AmazonS3Client();
try
{
// Update bucket policy for target bucket to allow delivery of logs to it.
await SetBucketPolicyToAllowLogDelivery(
client,
bucketName,
logBucketName,
logObjectKeyPrefix,
accountId);
// Enable logging on the source bucket.
await EnableLoggingAsync(
client,
bucketName,
logBucketName,
logObjectKeyPrefix);
}
catch (AmazonS3Exception e)
{
Console.WriteLine($"Error: {e.Message}");
}
}
///
/// This method grants appropriate permissions for logging to the
/// Amazon S3 bucket where the logs will be stored.
///
/// The initialized Amazon S3 client which will be used
/// to apply the bucket policy.
/// The name of the source bucket.
/// The name of the bucket where logging
/// information will be stored.
/// The logging prefix where the logs should be delivered.
/// The account id of the account where the source bucket exists.
/// Async task.
public static async Task SetBucketPolicyToAllowLogDelivery(
IAmazonS3 client,
string sourceBucketName,
string logBucketName,
string logPrefix,
string accountId)
{
var resourceArn = @"""arn:aws:s3:::" + logBucketName + "/" + logPrefix + @"*""";
var newPolicy = @"{
""Statement"":[{
""Sid"": ""S3ServerAccessLogsPolicy"",
""Effect"": ""Allow"",
""Principal"": { ""Service"": ""logging.s3.amazonaws.com"" },
""Action"": [""s3:PutObject""],
""Resource"": [" + resourceArn + @"],
""Condition"": {
""ArnLike"": { ""aws:SourceArn"": ""arn:aws:s3:::" + sourceBucketName + @""" },
""StringEquals"": { ""aws:SourceAccount"": """ + accountId + @""" }
}
}]
}";
Console.WriteLine($"The policy to apply to bucket {logBucketName} to enable logging:");
Console.WriteLine(newPolicy);
PutBucketPolicyRequest putRequest = new PutBucketPolicyRequest
{
BucketName = logBucketName,
Policy = newPolicy,
};
await client.PutBucketPolicyAsync(putRequest);
Console.WriteLine("Policy applied.");
}
///
/// This method enables logging for an Amazon S3 bucket. Logs will be stored
/// in the bucket you selected for logging. Selected prefix
/// will be prepended to each log object.
///
/// The initialized Amazon S3 client which will be used
/// to configure and apply logging to the selected Amazon S3 bucket.
/// The name of the Amazon S3 bucket for which you
/// wish to enable logging.
/// The name of the Amazon S3 bucket where logging
/// information will be stored.
/// The prefix to prepend to each
/// object key.
/// Async task.
public static async Task EnableLoggingAsync(
IAmazonS3 client,
string bucketName,
string logBucketName,
string logObjectKeyPrefix)
{
Console.WriteLine($"Enabling logging for bucket {bucketName}.");
var loggingConfig = new S3BucketLoggingConfig
{
TargetBucketName = logBucketName,
TargetPrefix = logObjectKeyPrefix,
};
var putBucketLoggingRequest = new PutBucketLoggingRequest
{
BucketName = bucketName,
LoggingConfig = loggingConfig,
};
await client.PutBucketLoggingAsync(putBucketLoggingRequest);
Console.WriteLine($"Logging enabled.");
}
///
/// Loads configuration from settings files.
///
public static void LoadConfig()
{
_configuration = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("settings.json") // Load settings from .json file.
.AddJsonFile("settings.local.json", true) // Optionally, load local settings.
.Build();
}
}
```
+ For API details, see [PutBucketLogging](https://docs.aws.amazon.com/goto/DotNetSDKV3/s3-2006-03-01/PutBucketLogging) in *AWS SDK for .NET API Reference*.
------
#### [ CLI ]
**AWS CLI**
**Example 1: To set bucket policy logging**
The following `put-bucket-logging` example sets the logging policy for *amzn-s3-demo-bucket*. First, grant the logging service principal permission in your bucket policy using the `put-bucket-policy` command.
```
aws s3api put-bucket-policy \
--bucket amzn-s3-demo-bucket \
--policy file://policy.json
```
Contents of `policy.json`:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3ServerAccessLogsPolicy",
"Effect": "Allow",
"Principal": {"Service": "logging.s3.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/Logs/*",
"Condition": {
"ArnLike": {"aws:SourceARN": "arn:aws:s3:::SOURCE-BUCKET-NAME"},
"StringEquals": {"aws:SourceAccount": "SOURCE-AWS-ACCOUNT-ID"}
}
}
]
}
```
To apply the logging policy, use `put-bucket-logging`.
```
aws s3api put-bucket-logging \
--bucket amzn-s3-demo-bucket \
--bucket-logging-status file://logging.json
```
Contents of `logging.json`:
```
{
"LoggingEnabled": {
"TargetBucket": "amzn-s3-demo-bucket",
"TargetPrefix": "Logs/"
}
}
```
The `put-bucket-policy` command is required to grant `s3:PutObject` permissions to the logging service principal.
For more information, see [Amazon S3 Server Access Logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) in the *Amazon S3 User Guide*.
**Example 2: To set a bucket policy for logging access to only a single user**
The following `put-bucket-logging` example sets the logging policy for *amzn-s3-demo-bucket*. The AWS user *bob@example.com* will have full control over the log files, and no one else has any access. First, grant S3 permission with `put-bucket-acl`.
```
aws s3api put-bucket-acl \
--bucket amzn-s3-demo-bucket \
--grant-write URI=http://acs.amazonaws.com/groups/s3/LogDelivery \
--grant-read-acp URI=http://acs.amazonaws.com/groups/s3/LogDelivery
```
Then apply the logging policy using `put-bucket-logging`.
```
aws s3api put-bucket-logging \
--bucket amzn-s3-demo-bucket \
--bucket-logging-status file://logging.json
```
Contents of `logging.json`:
```
{
"LoggingEnabled": {
"TargetBucket": "amzn-s3-demo-bucket",
"TargetPrefix": "amzn-s3-demo-bucket-logs/",
"TargetGrants": [
{
"Grantee": {
"Type": "AmazonCustomerByEmail",
"EmailAddress": "bob@example.com"
},
"Permission": "FULL_CONTROL"
}
]
}
}
```
the `put-bucket-acl` command is required to grant S3's log delivery system the necessary permissions (write and read-acp permissions).
For more information, see [Amazon S3 Server Access Logging](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html) in the *Amazon S3 Developer Guide*.
+ For API details, see [PutBucketLogging](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-logging.html) in *AWS CLI Command Reference*.
------