AWS S3 Integration
Track bucket request metrics, error rates, data transfer, and access patterns. S3 Storage Lens integration gives you organisation-wide storage visibility with AI anomaly detection for unusual access behaviour.
How It Works
Deploy CloudFormation Stack
Launch the TigerOps CloudFormation template to create the IAM role and Metric Streams configuration for the AWS/S3 namespace. S3 request metrics require bucket-level metric configuration.
Enable S3 Request Metrics
Enable S3 request metrics on buckets you want to monitor. TigerOps guides you through creating metric configurations with optional prefix filters to reduce metric cardinality for large buckets.
Configure Storage Lens
Enable S3 Storage Lens and export daily metrics to TigerOps. Storage Lens provides organisation-wide visibility into storage usage trends, data protection coverage, and access activity.
Set Error Rate & Cost Alerts
Define 4xx/5xx error rate thresholds and data egress cost alerts per bucket. TigerOps fires alerts when error rates spike or when data transfer costs accelerate unexpectedly.
What You Get Out of the Box
Request Rate & Error Monitoring
GET, PUT, DELETE, and LIST request rates alongside 4xx and 5xx error counts per bucket and prefix. TigerOps alerts on error rate spikes and surfaces the first-seen error timestamp.
Data Transfer Visibility
Bytes uploaded, downloaded, and transferred across regions. TigerOps correlates data transfer spikes with specific applications or IAM principals using S3 server access logs.
S3 Storage Lens Integration
Organisation-wide storage utilisation trends, incomplete multipart upload accumulation, non-current version storage costs, and replication rule health from S3 Storage Lens.
Bucket Size & Object Count
Daily bucket size and object count trends per storage class. TigerOps tracks growth rate and projects future storage costs so you can plan lifecycle policies proactively.
Latency Monitoring
First-byte latency and total request latency for GET and PUT operations. TigerOps surfaces latency regressions that may indicate S3 throttling or network path changes.
AI Access Pattern Analysis
TigerOps AI identifies unusual access patterns — unexpected spikes from new IP ranges, sudden increases in LIST operations, or unusual deletion events — and surfaces them as security-relevant anomalies.
Enable S3 Request Metrics
Configure bucket-level request metrics and deploy the TigerOps S3 monitoring stack.
# Enable S3 request metrics on a bucket (required for request-level monitoring)
aws s3api put-bucket-metrics-configuration \
--bucket my-production-bucket \
--id tigerops-all-requests \
--metrics-configuration '{"Id":"tigerops-all-requests","Filter":{}}'
# Enable with prefix filter for large buckets
aws s3api put-bucket-metrics-configuration \
--bucket my-production-bucket \
--id tigerops-uploads \
--metrics-configuration '{"Id":"tigerops-uploads","Filter":{"Prefix":"uploads/"}}'
# Deploy TigerOps S3 monitoring stack
aws cloudformation deploy \
--template-url https://tigerops-cfn.s3.amazonaws.com/s3-integration.yaml \
--stack-name tigerops-s3 \
--capabilities CAPABILITY_IAM \
--parameter-overrides \
TigerOpsApiKey=${TIGEROPS_API_KEY} \
EnableStorageLens=true \
MonitoredBuckets="my-production-bucket,my-assets-bucket"
# Enable S3 Storage Lens for org-wide visibility
aws s3control create-storage-lens-configuration \
--account-id 123456789 \
--config-id tigerops-org-lens \
--storage-lens-configuration file://storage-lens-config.jsonCommon Questions
Why are S3 request metrics not enabled by default?
S3 request metrics (AllRequests, GetRequests, etc.) are optional because they incur a small additional CloudWatch cost per metric per bucket. TigerOps helps you enable them selectively on your most critical buckets or with prefix-level filters.
How does TigerOps use S3 server access logs?
TigerOps can ingest S3 server access logs via an S3 event notification + Lambda pipeline. The logs are parsed to provide per-requester and per-prefix breakdowns of request counts and error rates beyond what CloudWatch metrics offer.
Can TigerOps alert on unusual data egress costs?
Yes. TigerOps monitors BytesDownloaded metrics and correlates them with AWS Cost and Usage Report data (ingested via the CUR S3 export). It alerts when data transfer costs accelerate beyond a configured daily or hourly rate.
Does TigerOps support monitoring S3 buckets across multiple AWS accounts?
Yes. TigerOps can aggregate S3 metrics from multiple AWS accounts using cross-account IAM roles. S3 Storage Lens organisation dashboards are also supported for AWS Organizations-managed account fleets.
How does TigerOps handle high-cardinality S3 metrics from large buckets?
For large buckets TigerOps recommends using S3 request metric filters scoped to specific prefixes (e.g., /uploads, /exports). This limits metric cardinality and cost while still giving you visibility into the most critical access paths.
Full Visibility Into Every S3 Bucket and Request
Request metrics, error rates, data transfer tracking, and AI access anomaly detection. Set up in minutes.