With s3BucketLoggingEnabled mandatory all buckets are verified to have access logs.
This creates problem with the log buckets themselves, that don't have access log buckets of their own, but rather rely on retention policy (glacier, etc...) or otherwise that would be infinite chain of buckets.
Policy needs to support filtering those buckets out, either by dependency based on access log and boolean flag to allow skipping access logs or by tag/name predicate to filter out those buckets, which is more generic feature (e.g. some buckets can be always behind API gateway or NGINX, which have access logs of their own).
justinvp
commented
4 years ago
With s3BucketLoggingEnabled mandatory all buckets are verified to have access logs. This creates problem with the log buckets themselves, that don't have access log buckets of their own, but rather rely on retention policy (glacier, etc...) or otherwise that would be infinite chain of buckets. Policy needs to support filtering those buckets out, either by dependency based on access log and boolean flag to allow skipping access logs or by tag/name predicate to filter out those buckets, which is more generic feature (e.g. some buckets can be always behind API gateway or NGINX, which have access logs of their own).