Track configuration changes with AWS Config
To record and evaluate configurations of your AWS resources, you can use AWS Config, which provides you with a detailed view of the configuration of your distributions. This includes how the resources are related to one another and how they were configured in the past, so you can review changes over time.
You can also use AWS Config to record configuration changes to your CloudFront distribution settings. You can capture changes to distribution states, price classes, origins, geographic restriction settings, and Lambda@Edge configurations.
Note
AWS Config does not record key–value tags for CloudFront streaming distributions.
Contents
Set up AWS Config with CloudFront
When you set up AWS Config, you can choose to record all supported AWS resources or record only some specified resources, such as recording changes for CloudFront only. For a list of supported CloudFront resources, see the Amazon CloudFront section of the Supported Resource Types topic in the AWS Config Developer Guide.
Notes
-
To track configuration changes to your CloudFront distribution, you must sign in to the CloudFront console in the US East (N. Virginia) AWS Region.
-
There might be a delay in recording resources with AWS Config. AWS Config records resources only after it discovers the resources.
View CloudFront configuration history
After AWS Config starts recording configuration changes to your distributions, you can get the configuration history of any distribution that you have configured for CloudFront.
You can view configuration histories in the following ways.
Evaluate CloudFront configurations with AWS Config Rules
You can evaluate configurations against desired configurations with AWS Config Rules. For example, AWS Config Rules helps you to evaluate whether your CloudFront resources comply with common security best practices. You can choose managed rules like viewer policy HTTPS, SNI enabled, OAC enabled, origin failover enabled, AWS WAF WebACL, or AWS Shield Advanced resource policies to be triggered when the configuration changes.
Managed rules can run evaluations periodically, at a frequency that you choose. AWS Firewall Manager relies on AWS Config for automatic alerts and remediations. For more information, see Evaluating Resources with AWS Config Rules and List of AWS Config Managed Rules in the AWS Config Developer Guide.