AWS S3 Logs Bucket

An AWS S3 bucket intended for storing logs

View Source Code


Made by







An AWS S3 bucket providing scalable, durable, and secure storage of logs allowing them to be stored, accessed, and analyzed in a highly available and cost-effective manner.

Use Cases

Application Logging

Low cost and durable storage of application logs for debugging and troubleshooting

Security and Compliance

Storing access logs allows security teams to monitor and detect unauthorized access attempts and security breaches, and helps to satisfy compliance requirements for data access audit trails.


This bundle is designed around the specific use-case of storing application and access logs. For this reason, assumptions are made regarding the configuration of the bucket. For example, public access is disabled and object versioning is disabled.

Best Practices

High Availability

Deploys regional S3 for High availability in the event of zonal failure

Dedicated KMS Key

Uses a dedicated KMS key with narrowly scoped permission for encryption


KMS Encryption

A KMS key is created and narrowly scoped to the bucket for encrypting all assets.

Private ACL

No public access is allowed to this bucket

Access Logging

Access logging can be enabled, which will create an additional S3 bucket to store access logs for compliance requirements


The following policies are created for managing access to the S3 bucket.

  • read: Grants read access to objects in the bucket
  • write: Grants access to write objects to the bucket
bucket.regionstringAWS Region to provision in.
lifecycle_settings.expirebooleanEnable the expiration (deletion) of objects after the specified time
lifecycle_settings.transition_rules[].daysintegerNumber of days after creation when objects are transitioned to the specified storage class.
lifecycle_settings.transition_rules[].storage_classstringS3 storage class to transition to. Refer to the AWS S3 storage class documentation for details on each storage class.
monitoring.access_loggingbooleanEnabling this will create an additional bucket for storing access logs