access_logging

Type object({ target_bucket = string target_prefix = optional(string, "") })
Default null
Module s3-bucket

Access logging configuration for audit trails. Set to null to disable logging. Object properties: - target_bucket: Bucket where logs are delivered (required) - target_prefix: Prefix for log objects (optional)

Overview

Server access logging provides detailed records for requests made to your bucket. Logs include information about the requester, bucket name, request time, and response status.

Default Value

access_logging = null

Configuration Structure

access_logging = {
  target_bucket = "my-logs-bucket"
  target_prefix = "s3-access-logs/"
}

Parameters

ParameterDescriptionRequired
target_bucketBucket where logs are deliveredYes
target_prefixPrefix for log objectsNo

Log Format

Log records include:

  • Bucket owner and name
  • Request time and IP address
  • Operation type
  • Request URI
  • HTTP status and error codes
  • Bytes sent and object size
  • User agent and referrer

Best Practices

  • Use a dedicated logging bucket
  • Enable lifecycle rules on the logging bucket
  • Use descriptive prefixes to organize logs
  • Consider using S3 Analytics for access pattern insights
  • Do not enable logging on the logging bucket (prevents loops)

Compliance Use Cases

  • SOC 2: Audit trail requirements
  • HIPAA: Access monitoring for PHI
  • PCI-DSS: Cardholder data access logging
  • GDPR: Data access transparency

Full Module Example

module "s3_bucket" {
  source  = "registry.patterneddesigns.ca/essentials/s3-bucket/aws"
  version = "0.1.0"

  # access_logging
  access_logging = "..."

  # Other required inputs
  bucket_name = "..."
}
Other Inputs
bucket_name req versioning_enabled encryption_type kms_key_arn lifecycle_rules cors_configuration tags