Audit logging (who accessed what, when) #18
Description
Summary
Add structured audit logging for all S3 operations, recording who accessed which objects, what operation was performed, and when.
Problem
Currently, s3proxy logs operational events (errors, warnings, debug info) via structlog, but there's no dedicated audit trail. For compliance (SOC2, GDPR, HIPAA), operators need to answer:
- Who accessed object X?
- What operations were performed on bucket Y in the last 30 days?
- Were there any failed access attempts?
Proposal
Emit structured audit log entries for every S3 operation:
{
"timestamp": "2026-02-11T12:00:00Z",
"event": "AUDIT",
"operation": "GetObject",
"bucket": "my-bucket",
"key": "data/file.bin",
"client_ip": "10.0.1.5",
"access_key": "AKIA...",
"status": 200,
"bytes_transferred": 1048576,
"encrypted": true,
"duration_ms": 45
}Features:
- Separate audit log stream (distinct from operational logs)
- Configurable output: stdout, file, or external sink (e.g., S3 bucket, webhook)
- Include client identity (access key, IP, user agent)
- Log both successful and failed operations (403, 503)
- Compatible with log aggregation tools (structured JSON)
Considerations
- Audit logs must not contain sensitive data (no encryption keys, no object content)
- Should be opt-in (
S3PROXY_AUDIT_LOG=true) to avoid overhead for non-compliance use cases - Ties into multi-credential support (Multiple AWS credential pairs (per-client auth) #13) for per-client identity