How can I audit deleted or missing objects from my Amazon S3 bucket?

2 minute read

There's an object or file that's missing from my Amazon Simple Storage Service (Amazon S3) bucket. I want to find information about how the object or file was deleted, and prevent future accidental deletions.


To find out how an S3 object was deleted, you can review either server access logs or AWS CloudTrail logs.

Note: You must turn on logging for the bucket before the deletion event occurs. You receive logs only for events that occurred after you turned on logging.

Server access logs

Server access logs track S3 operations manually performed or as part of a lifecycle configuration. To turn on server access logging, see Enabling Amazon S3 server access logging. For more information on how to analyze server access logs, see How do I analyze my Amazon S3 server access logs using Athena?

CloudTrail logs

CloudTrail logs can track object-level data events in an S3 bucket, such as GetObject, DeleteObject, and PutObject. By default, CloudTrail records bucket-level events. To turn on CloudTrail logging for object-level events, see Enabling CloudTrail event logging for S3 buckets and objects. For more information on how to find specific events, see Why aren't Amazon S3 object-level API actions appearing in my CloudTrail Event history?

Note: Because object-level logging incurs additional charges, make sure to review the pricing for CloudTrail data events.

To prevent future accidental deletions, it's a best practice to use one of the following features:

AWS OFFICIALUpdated 6 months ago