# How to Configure Spaces Access Logs Spaces Object Storage is an S3-compatible service for storing and serving large amounts of data. The built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs. Spaces can generate access logs that record requests to a bucket for monitoring, auditing, and troubleshooting. Access logs can include: - Reads, writes, and deletions of objects in the bucket. - Requests to origin endpoints. - Requests to the bucket’s [CDN endpoints](https://docs.digitalocean.com/products/spaces/how-to/enable-cdn/index.html.md), if enabled. Spaces access logs use [Amazon S3 server access log format](https://docs.aws.amazon.com/AmazonS3/latest/userguide/LogFormat.html), and CDN access logs use [Amazon CloudFront access log format](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/standard-logs-reference.html). Spaces delivers access logs asynchronously, usually within one hour of activity, though delivery can take two hours or longer. You can enable or disable access logs [using the S3-compatible API](#api), such as the AWS CLI, or with [Terraform](#terraform). ## Check the Status of Access Logs Access logs are disabled by default. To check whether access logs are enabled, go to the [DigitalOcean Control Panel](https://cloud.digitalocean.com), in the left menu, click **Spaces Object Storage**, and then select the bucket you want to view. In the bucket’s overview page, click its **Settings** tab, and then under the **Access Logs** sub-section, see if access logs are **Enabled** or **Disabled**. ![DigitalOcean Spaces Settings page showing project assignment, object versioning, access logs status, file listing permissions, CDN settings, CORS configuration, access keys, and bucket deletion options.](https://docs.digitalocean.com/screenshots/spaces/settings.d6297ab764b476ba9443fc39a3dc064b48ef8ea0bad5b2934386a51332f04ae5.png) ## Manage Access Logs Using the AWS CLI You can enable or disable access logs using the S3-compatible API with the AWS CLI (`aws`). ### Enable Access Logs Create a JSON file that defines the logging configuration. Specify the destination bucket where logs are stored and the prefix used for log objects. The destination bucket must be different from the source bucket because Spaces does not support writing access logs to the same bucket that generates them. ```json { "LoggingEnabled": { "TargetBucket": "use_your_destination_bucket", "TargetPrefix": "example_log_prefix/" } } ``` Apply the configuration: ```shell aws --endpoint-url https://use_your_region.digitaloceanspaces.com \ s3api put-bucket-logging \ --bucket use_your_source_bucket \ --bucket-logging-status file://use_your_logging_config_path.json ``` If the command succeeds, it returns no output and exits with code `0`. If needed, [verify that access logs are enabled](#verify). ### Disable Access Logs To disable access logs, send an empty logging configuration. This removes the `LoggingEnabled` section. ```shell aws --endpoint-url https://use_your_region.digitaloceanspaces.com \ s3api put-bucket-logging \ --bucket use_your_source_bucket \ --bucket-logging-status '{}' ``` After running this command, [verify that access logs are disabled](#verify). ### Verify Your Logging Configuration Check the current logging configuration: ```shell aws --endpoint-url https://use_your_region.digitaloceanspaces.com \ s3api get-bucket-logging \ --bucket use_your_source_bucket ``` If logging is enabled, the response includes a `LoggingEnabled` object with your destination bucket and prefix: ```json { "LoggingEnabled": { "TargetBucket": "your-log-bucket", "TargetPrefix": "example_log_prefix/" } } ``` If logging is disabled, the response is an empty JSON object. ## Manage Access Logs Using Terraform You can also [configure access logs with Terraform](https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket_logging) using the `digitalocean_spaces_bucket_logging` resource. The destination bucket must be in the same region as the source bucket, and your access key must have permission to write to it.