AWS-How can I audit deleted or missing objects from my Amazon S3 bucket

March 1, 2023 . 2 MIN READ

Resolution

To find out how an S3 object was deleted, review either server access logs or AWS CloudTrail logs.

Note: You must turn on logging for the bucket before the deletion event occurs. You receive logs only for events that occurred after you turned on logging.

Server access logs

Server access logs track Amazon S3 operations that you perform manually or as part of a lifecycle configuration. To turn on server access logging, see Enabling Amazon S3 server access logging. For more information on how to analyze server access logs, see Using Amazon S3 server access logs to identify requests.

Note: Amazon S3 delivers server access logs on a best-effort basis. Your server access logs might be incomplete.

CloudTrail logs

CloudTrail logs can track object-level data events in an S3 bucket, such as GetObject, DeleteObject, and PutObject. By default, CloudTrail records bucket-level events. To turn on CloudTrail logging for object-level events, see Enabling CloudTrail event logging for S3 buckets and objects. For more information on how to find specific events, see Why don’t Amazon S3 object-level API actions appear in my CloudTrail Event history?

Note: Because object-level logging incurs additional charges, make sure to review the pricing for CloudTrail data events.

To prevent future accidental deletions, it’s a best practice to use one of the following features:

Turn on versioning to keep historical versions of an object.
Turn on Cross-Region Replication of objects.
Turn on MFA delete to require multi-factor authentication (MFA) when you delete an object version.
Use AWS Backup to restore an object or file.
Use S3 Object Lock to prevent the deletion of an object.