# Monitoring and auditing S3 Files
S3 Files integrates with the following AWS services to help you monitor your file systems:
**Amazon CloudWatch**
By default, S3 Files metric data is automatically sent to CloudWatch at 1-minute periods, unless noted differently for some individual metrics. You can also watch a single metric over a time period that you specify, and perform one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The action is a notification sent to an Amazon Simple Notification Service (Amazon SNS) topic or Amazon EC2 Auto Scaling policy.
For more information, see [Monitoring S3 Files with Amazon CloudWatch](s3-files-monitoring-cloudwatch.md).
**CloudTrail**
CloudTrail captures API calls and related events made by or on behalf of your AWS account and delivers log files to an Amazon S3 bucket that you specify. S3 Files logs management events including creating file systems, creating mount targets, and mounting file systems to compute instances. S3 Files does not log data events, such as file read and write operations.
For more information, see [Logging with CloudTrail for S3 Files](s3-files-logging-cloudtrail.md).
**Topics**
+ [Monitoring S3 Files with Amazon CloudWatch](s3-files-monitoring-cloudwatch.md)
+ [Logging with CloudTrail for S3 Files](s3-files-logging-cloudtrail.md)
# Monitoring S3 Files with Amazon CloudWatch
You can monitor S3 Files file systems using [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html), which collects and processes raw data from Amazon S3 Files into readable metrics. These metrics are retained for 15 months, so you can access historical information and gain a better perspective on how your file systems are performing.
S3 Files metric data is automatically sent to CloudWatch. Most metrics are sent at 1-minute intervals, while storage metrics are sent every 15 minutes. You can create [CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Alarms.html) that send notifications when a metric exceeds a threshold you specify. You can also use CloudWatch dashboards, which are customizable home pages in the CloudWatch Console that you can use to monitor your resources in a single view. For more information, see [Creating a customized CloudWatch dashboard](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/create_dashboard.html).
## S3 Files CloudWatch metrics
S3 Files metrics use the `AWS/S3Files` namespace. All metrics are reported for a single dimension `FileSystemId`. The `AWS/S3Files` namespace includes the following metrics:
| Metric | Description | Units and valid statistics |
| --- | --- | --- |
| StorageBytes | The total size of the file system in bytes, which includes data and metadata. This metric is emitted to CloudWatch every 15 minutes. | Units: Bytes. Minimum, Maximum, Average |
| Inodes | The total number of inodes (such as files, directories, symlinks) in an S3 Files file system. This metric is emitted to CloudWatch every 15 minutes. | Units: Count. Sum |
| PendingExports | The total number of files and directories pending export to the S3 bucket. | Units: Count. Sum |
| ImportFailures | The total number of objects that failed to import to the file system after retries (for example, incorrect IAM permissions). | Units: Count. Sum |
| ExportFailures | Total number of files and directories that failed export and will not be retried. This metric helps you identify terminal export failures so you can troubleshoot and take action (for example, update IAM permissions). | Units: Count. Sum |
| DataReadBytes | The number of bytes read from the file system. SampleCount gives the number of data read operations. You can calculate data read throughput by viewing this metric per unit time. | Units: Bytes (Minimum, Maximum, Average, Sum), Count (SampleCount) |
| DataWriteBytes | The number of bytes written to the file system. SampleCount gives the number of data write operations. You can calculate data write throughput by viewing this metric per unit time. | Units: Bytes (Minimum, Maximum, Average, Sum), Count (SampleCount) |
| MetadataReadBytes | The number of metadata bytes read from the file system. SampleCount gives the number of metadata read operations. | Units: Bytes (Minimum, Maximum, Average, Sum), Count (SampleCount) |
| MetadataWriteBytes | The number of metadata bytes written to the file system. SampleCount gives the number of metadata write operations. | Units: Bytes (Minimum, Maximum, Average, Sum), Count (SampleCount) |
| LostAndFoundFiles | Total number of files in the lost and found directory. The lost and found directory is located in your file system's root directory under the name .s3files-lost\$1found-file-system-id. Files in the lost and found directory are not copied to your S3 bucket. When a conflict occurs due to concurrent changes to the same data in both the file system and the S3 bucket, S3 Files treats the S3 bucket as the source of truth and moves the conflicting file to a lost and found directory. | Units: Count. Sum |
| ClientConnections | The number of active client connections to a file system. | Units: Count. Sum |
## Client connectivity metrics
S3 Files can optimize read performance by allowing clients to read file data directly from the linked S3 bucket. To support this, the S3 Files client emits connectivity metrics that monitor whether the client can establish the necessary connections.
These metrics are emitted by the S3 Files client (amazon-efs-utils) and are published to the `efs-utils/S3Files` CloudWatch namespace. Metrics emission is enabled by default as part of the S3 Files experience.
| Metric | Description | Units and valid statistics |
| --- | --- | --- |
| NFSConnectionAccessible | Indicates whether the client can connect to the file system through the NFS mount. A value of 1 means the connection is accessible. A value of 0 means the connection is not accessible. | Units: None. Minimum, Maximum, Average |
| S3BucketAccessible | Indicates whether the client has the required permissions to read data from the linked S3 bucket. A value of 1 means the client has the necessary permissions. A value of 0 means the client does not have the necessary permissions. | Units: None. Minimum, Maximum, Average |
| S3BucketReachable | Indicates whether the linked S3 bucket and prefix exist and are reachable from the client. A value of 1 means the bucket and prefix are reachable. A value of 0 means the bucket or prefix is not reachable. | Units: None. Minimum, Maximum, Average |
## Accessing CloudWatch metrics
You can view S3 Files metrics using the CloudWatch console, the AWS CLI, or the CloudWatch API.
### To view metrics using the CloudWatch console
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**, then choose **All metrics**.
1. Choose the **S3Files** namespace.
1. Choose **File System Metrics**.
1. Select the metrics you want to view.
1. Choose the **Graphed metrics** tab to configure the graph display.
### To view metrics using the AWS CLI
Use the `get-metric-statistics` command. For example, to view `DataReadBytes`:
```
aws cloudwatch get-metric-statistics \
--namespace AWS/S3Files \
--metric-name DataReadBytes \
--dimensions Name=FileSystemId,Value=file-system-id \
--start-time 2025-01-20T00:00:00Z \
--end-time 2025-01-20T23:59:59Z \
--period 3600 \
--statistics Sum
```
# Logging with CloudTrail for S3 Files
Amazon S3 Files is integrated with CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in S3 Files. CloudTrail captures all API calls for S3 Files as events, including calls from the S3 Files console and code calls to the S3 Files API operations.
If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for S3 Files. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to S3 Files, the IP address from which the request was made, who made the request, when it was made, and additional details.
## S3 Files information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Amazon S3 Files, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) in the *CloudTrail User Guide*.
For an ongoing record of events in your AWS account, including events for S3 Files, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs.
For more information, see the following topics in the *CloudTrail User Guide*:
+ [Creating a trail for your AWS account](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [AWS service integrations with CloudTrail logs](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html)
+ [Receiving CloudTrail log files from multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All [S3 Files APIs](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_S3_Files.html) are logged by CloudTrail. For example, calls to the `CreateFileSystem`, `CreateMountTarget` and `TagResource` operations generate entries in the CloudTrail log files. S3 Files also generates CloudTrail logs when you mount your file system on a compute resource.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root user or IAM user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html) in the *CloudTrail User Guide*.
S3 Files does not log data events. Data events include file read and write operations performed on the file system.
## Understanding S3 Files log file entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
### Example: CreateFileSystem
The following example shows a CloudTrail log entry that demonstrates the `CreateFileSystem` action:
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/myRole/i-0123456789abcdef0",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/myRole",
"accountId": "111122223333",
"userName": "myRole"
},
"attributes": {
"creationDate": "2026-03-20T12:58:28Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0"
}
},
"eventTime": "2026-03-20T17:43:19Z",
"eventSource": "s3files.amazonaws.com",
"eventName": "CreateFileSystem",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"bucket": "arn:aws:s3:::amzn-s3-demo-bucket",
"prefix": "images/",
"clientToken": "myClientToken",
"roleArn": "arn:aws:iam::111122223333:role/myS3FilesRole"
},
"responseElements": {
"creationTime": "Mar 20, 2026, 5:43:19 PM",
"fileSystemArn": "arn:aws:s3files:us-west-2:111122223333:file-system/fs-abcd123456789ef0",
"fileSystemId": "fs-abcd123456789ef0",
"bucket": "arn:aws:s3:::amzn-s3-demo-bucket",
"prefix": "images/",
"clientToken": "myClientToken",
"status": "creating",
"roleArn": "arn:aws:iam::111122223333:role/myS3FilesRole",
"ownerId": "111122223333",
"tags": []
},
"requestID": "dEXAMPLE-feb4-11e6-85f0-736EXAMPLE75",
"eventID": "eEXAMPLE-2d32-4619-bd00-657EXAMPLEe4",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::S3Files::FileSystem",
"ARN": "arn:aws:s3files:us-west-2:111122223333:file-system/fs-abcd123456789ef0"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "s3files.us-west-2.api.aws"
}
}
```
### Example: CreateMountTarget
The following example shows a CloudTrail log entry for the `CreateMountTarget` action:
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "111122223333",
"arn": "arn:aws:sts::111122223333:assumed-role/myRole/i-0123456789abcdef0",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "111122223333",
"arn": "arn:aws:iam::111122223333:role/myRole",
"accountId": "111122223333",
"userName": "myRole"
},
"attributes": {
"creationDate": "2026-03-20T13:09:56Z",
"mfaAuthenticated": "false"
},
"ec2RoleDelivery": "2.0"
}
},
"eventTime": "2026-03-20T18:05:14Z",
"eventSource": "s3files.amazonaws.com",
"eventName": "CreateMountTarget",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"fileSystemId": "fs-abcd123456789ef0",
"subnetId": "subnet-01234567890abcdef",
"securityGroups": [
"sg-c16d65b6"
]
},
"responseElements": {
"availabilityZoneId": "usw2-az2",
"ownerId": "111122223333",
"mountTargetId": "fsmt-1234567",
"fileSystemId": "fs-abcd123456789ef0",
"subnetId": "subnet-01234567890abcdef",
"ipv4Address": "192.0.2.0",
"ipv6Address": "2001:db8::1",
"networkInterfaceId": "eni-0123456789abcdef0",
"vpcId": "vpc-01234567",
"securityGroups": [
"sg-c16d65b6"
],
"status": "creating"
},
"requestID": "dEXAMPLE-feb4-11e6-85f0-736EXAMPLE75",
"eventID": "eEXAMPLE-2d32-4619-bd00-657EXAMPLEe4",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::S3Files::FileSystem",
"ARN": "arn:aws:s3files:us-west-2:111122223333:file-system/fs-abcd123456789ef0"
},
{
"accountId": "111122223333",
"type": "AWS::S3Files::MountTarget",
"ARN": "arn:aws:s3files:us-west-2:111122223333:mount-target/fsmt-1234567"
},
{
"accountId": "111122223333",
"type": "AWS::EC2::Subnet",
"ARN": "arn:aws:ec2:us-west-2:111122223333:subnet/subnet-01234567890abcdef"
},
{
"accountId": "111122223333",
"type": "AWS::EC2::NetworkInterface",
"ARN": "arn:aws:ec2:us-west-2:111122223333:network-interface/eni-0123456789abcdef0"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "s3files.us-west-2.api.aws"
}
}
```