skillZs
LIVE SKILL TAGS
>>> LIVE SKILLS INDEX <<<
* OPEN SOURCE *
NO LOGIN, NO TRACKING
REAL INSTALL DATA
← back to all skills
aws/agent-toolkit-for-aws757 installs

querying-aws-s3

Queries S3 object metadata, tracks bucket activity, audits object changes, searches annotations, and analyzes storage metrics using S3 Metadata system tables (journal, inventory, annotation) and S3 Storage Lens tables via Athena SQL. Applies when counting objects, finding recent uploads or deletions, identifying who wrote to a prefix, breaking down storage classes, finding objects by tag, searching annotation content, analyzing storage lens metrics, or enabling S3 Metadata tracking. Prefers system tables over raw S3 APIs (list-objects-v2, head-object) at scale. Trigger phrases: bucket activity, object count, who uploaded, track deletions, storage class breakdown, find by tag, search annotations, storage lens metrics, audit bucket changes.

How do I install this agent skill?

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill querying-aws-s3
view source ↗

Is this agent skill safe to install?

  • Gen Agent Trust Hubpass

    This skill provides templates and instructions for querying Amazon S3 Metadata and Storage Lens tables. It emphasizes security best practices, including encryption and least-privilege IAM policies, while utilizing standard AWS CLI tools.

  • Socketpass

    No alerts

  • Snykpass

    Risk: LOW · No issues

What does this agent skill do?

Query AWS S3 System Tables

Overview

Works best with the AWS MCP server for sandboxed execution and audit logging. All commands below use the AWS CLI and work in any environment with configured AWS credentials. Use IAM roles or temporary credentials; avoid long-lived access keys.

Amazon S3 Metadata provides continuously-updated Apache Iceberg tables that capture object-level metadata for general-purpose buckets. S3 Storage Lens exports aggregated storage and activity metrics as Iceberg tables. Both are read-only, stored in the AWS-managed aws-s3 table bucket, and queryable via Amazon Athena.

System tables are preferred over raw S3 APIs (list-objects-v2, head-object) because:

  • list-objects-v2 paginates at 1000 objects/page — inefficient for large buckets (millions or billions of objects). The inventory table answers SELECT COUNT(*) in seconds at any scale.
  • list-objects-v2 cannot identify who uploaded an object, from which IP, or when something was deleted. Only the journal table has requester, source_ip_address, and delete event tracking.
  • Filtering by tag requires get-object-tagging per object. The inventory table has object_tags as a queryable map column.

Decision Tree

User intentUse this skill?TableAlternative
How many objects in my bucketYesinventory
What was recently uploaded/deletedYesjournal
Who wrote/deleted objects (audit)Yesjournal (requester, source_ip)
Storage class breakdownYesinventory
Find objects by tag or user metadataYesinventory
Search annotation contentYesannotationSingle object → direct API get-object-annotation
Write/update an annotationNoDirect API: put-object-annotation (tables are read-only)
Query data inside objectsNoquerying-data-lake
Bucket-level storage metrics/trendsYesStorage Lens tables
Enable metadata trackingYessee Enable section

Common Tasks

1. Check If Configured

Before querying, confirm S3 Metadata is enabled on the target bucket.

aws s3api get-bucket-metadata-configuration --bucket <BUCKET> --region <REGION>

Interpret the response:

  • MetadataConfigurationNotFound error → not enabled. See Enable section below.
  • TableStatus: ACTIVE → ready to query.
  • TableStatus: BACKFILLING → queryable but inventory may be incomplete.
  • TableStatus: FAILED → check error field (usually IAM).

For Storage Lens:

aws s3control get-storage-lens-configuration --account-id <ACCOUNT> --config-id <CONFIG_ID> --region <REGION>

Look for DataExport.StorageLensTableDestination.IsEnabled: true.

2. Enable (if not configured)

Enable S3 Metadata on a bucket:

aws s3api create-bucket-metadata-configuration \
  --bucket <BUCKET> \
  --region <REGION> \
  --metadata-configuration '{
    "JournalTableConfiguration": {"RecordExpiration": {"Expiration": "DISABLED"}},
    "InventoryTableConfiguration": {"ConfigurationState": "ENABLED"}
  }'

To also enable annotations (requires a service role):

aws s3api create-bucket-metadata-configuration \
  --bucket <BUCKET> \
  --region <REGION> \
  --metadata-configuration '{
    "JournalTableConfiguration": {"RecordExpiration": {"Expiration": "ENABLED", "Days": 90}},
    "InventoryTableConfiguration": {"ConfigurationState": "ENABLED"},
    "AnnotationTableConfiguration": {"ConfigurationState": "ENABLED", "Role": "<ROLE_ARN>"}
  }'

Enable Storage Lens S3 Tables export:

aws s3control put-storage-lens-configuration \
  --account-id <ACCOUNT> \
  --config-id <CONFIG_ID> \
  --region <REGION> \
  --storage-lens-configuration '{
    "Id": "<CONFIG_ID>",
    "IsEnabled": true,
    "AccountLevel": {"BucketLevel": {}},
    "DataExport": {
      "StorageLensTableDestination": {"IsEnabled": true}
    }
  }'

Register S3 Tables federated catalog in Glue (required for Athena access):

aws glue create-catalog --region <REGION> --cli-input-json '{
  "Name": "s3tablescatalog",
  "CatalogInput": {
    "FederatedCatalog": {
      "Identifier": "arn:aws:s3tables:<REGION>:<ACCOUNT>:bucket/*",
      "ConnectionName": "aws:s3tables"
    }
  }
}'

For setup permissions and IAM role requirements, see Security Considerations below.

3. Verify Permissions

Querying requires:

  • Athena execution permissions
  • S3 Tables read permissions (see least-privilege policy in Security Considerations)
  • The S3 Tables federated catalog registered in Glue (s3tablescatalog)
  • Athena workgroup with SSE-KMS encryption configured on the output location

If CATALOG_NOT_FOUND errors occur, the Glue integration may not be enabled. See: Integrating S3 Tables with AWS analytics services

4. Identify the Target Table

S3 Metadata tables — namespace is b_<bucket-name>:

TableWhat it captures
journalEvent log — every CREATE, DELETE, UPDATE_METADATA, and annotation events. Near real-time.
inventoryCurrent state — one row per object (latest version). Updates within 1 hour.
annotationAnnotation payloads — text_value column holds the full content. Near real-time.

Storage Lens tables — namespace is lens_<config-id>_exp:

TableWhat it captures
default_storage_metricsPer-bucket/prefix: object count, size, storage class breakdown. Daily.
default_activity_metricsPer-bucket/prefix: GET/PUT/DELETE request counts. Daily.
bucket_property_metricsBucket config: versioning, encryption, lifecycle settings. Daily.

5. Query

Query syntax:

"s3tablescatalog/aws-s3"."<namespace>"."<table>"

Constraints:

  • You MUST confirm workgroup and output location before executing

  • You MUST ensure the Athena workgroup enforces SSE-KMS encryption on query results

  • You MUST warn user that tables are read-only — no INSERT/UPDATE/DELETE

  • You SHOULD use the key columns documented in this skill to build queries. If you need the full schema (e.g., AWS has added new columns), run get-tables once on any single namespace — schemas are identical across all instances of the same table type:

    aws glue get-tables --catalog-id "<ACCOUNT>:s3tablescatalog/aws-s3" --database-name "<namespace>" --region <REGION>
    

Journal — audit who changed what:

SELECT key, record_type, record_timestamp, requester, source_ip_address
FROM "s3tablescatalog/aws-s3"."b_<bucket>"."journal"
WHERE record_type = 'DELETE'
  AND record_timestamp > current_timestamp - interval '24' hour
ORDER BY record_timestamp DESC;

Journal — track annotation events:

SELECT key, record_type, annotation.name, record_timestamp
FROM "s3tablescatalog/aws-s3"."b_<bucket>"."journal"
WHERE record_type IN ('CREATE_ANNOTATION', 'DELETE_ANNOTATION', 'UPDATE_ANNOTATION_METADATA')
ORDER BY record_timestamp DESC LIMIT 20;

Inventory — find objects by storage class:

SELECT key, size, storage_class, last_modified_date
FROM "s3tablescatalog/aws-s3"."b_<bucket>"."inventory"
WHERE storage_class = 'GLACIER'
ORDER BY size DESC LIMIT 50;

Inventory — find objects by tag:

SELECT key, size, object_tags
FROM "s3tablescatalog/aws-s3"."b_<bucket>"."inventory"
WHERE object_tags['environment'] = 'staging';

Annotation — search across payloads:

SELECT object_key, name, text_value
FROM "s3tablescatalog/aws-s3"."b_<bucket>"."annotation"
WHERE text_value LIKE '%error%';

Annotation — extract JSON fields:

SELECT object_key, json_extract_scalar(text_value, '$.status') as status
FROM "s3tablescatalog/aws-s3"."b_<bucket>"."annotation"
WHERE name = 'pipeline_status'
  AND json_extract_scalar(text_value, '$.status') = 'FAILED';

Storage Lens — storage distribution:

SELECT *
FROM "s3tablescatalog/aws-s3"."lens_<config-id>_exp"."default_storage_metrics"
LIMIT 20;

Routing: Athena vs Direct API

ScenarioUse
Single known object + annotation nameDirect API: get-object-annotation
Aggregate/count across many objectsAthena on annotation or inventory table
Full-text search across annotation payloadsAthena with LIKE or json_extract_scalar
Write/update an annotationDirect API: put-object-annotation (table is read-only)
Feature not configured on bucketDirect API loop (list-objects-v2 + head-object); suggest enabling S3 Metadata

Troubleshooting

ErrorCauseFix
CATALOG_NOT_FOUNDS3 Tables not registered in GlueEnable integration: S3 console > Table buckets > Enable integration
Empty results from journalFeature just enabled; no events recorded yetUpload/delete an object and wait ~1 minute
Empty results from inventoryTable still BACKFILLINGCheck status; wait for ACTIVE (minutes to hours depending on object count)
AccessDenied querying tableMissing s3tables:GetTable or GetTableMetadataLocationSee Security Considerations below
Wrong namespaceBucket name has periodsPeriods are converted to underscores in namespace: my.bucketb_my_bucket
No Storage Lens dataFirst delivery takes up to 48 hoursWait; no historical backfill

Security Considerations

Least-Privilege IAM Policy

Scope permissions to specific table bucket ARNs rather than using wildcards:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3tables:GetTable",
        "s3tables:GetTableMetadataLocation",
        "s3tables:GetTableData",
        "s3tables:GetNamespace",
        "s3tables:ListTables",
        "s3tables:ListNamespaces",
        "s3tables:GetTableBucket"
      ],
      "Resource": [
        "arn:aws:s3tables:<REGION>:<ACCOUNT>:bucket/aws-s3",
        "arn:aws:s3tables:<REGION>:<ACCOUNT>:bucket/aws-s3/*"
      ]
    }
  ]
}

Data Sensitivity

Journal query results may contain sensitive fields:

  • requester — AWS account ID or service principal that made the request
  • source_ip_address — IP address of the requester

Query results containing these fields should be stored in encrypted, access-controlled locations. Avoid logging or sharing raw query output that contains IP addresses or principal identifiers.

Encryption for Query Results

Configure the Athena workgroup with EncryptionConfiguration to encrypt query results at rest:

{
  "ResultConfiguration": {
    "EncryptionConfiguration": {
      "EncryptionOption": "SSE_KMS",
      "KmsKey": "arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY_ID>"
    }
  }
}

Audit Trail

Enable CloudTrail logging for Athena (StartQueryExecution, GetQueryResults) and S3 Tables (s3tables:GetTableData) API calls to maintain an audit trail of who queried what metadata. Ensure CloudTrail logs are encrypted with SSE-KMS and stored in a bucket with access logging enabled.

Additional Resources

Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.

<a href="https://skillzs.dev/skills/aws/agent-toolkit-for-aws/querying-aws-s3">View querying-aws-s3 on skillZs</a>