Logging Amazon CloudFront API calls using AWS CloudTrail - Amazon CloudFront

Logging Amazon CloudFront API calls using AWS CloudTrail

CloudFront is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service. CloudTrail captures all API calls for CloudFront as events. The calls captured include calls from the CloudFront console and code calls to the CloudFront API operations. Using the information collected by CloudTrail, you can determine the request that was made to CloudFront, the IP address from which the request was made, when it was made, and additional details.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

  • Whether the request was made with root user or user credentials.

  • Whether the request was made on behalf of an IAM Identity Center user.

  • Whether the request was made with temporary security credentials for a role or federated user.

  • Whether the request was made by another AWS service.

CloudTrail is active in your AWS account when you create the account and you automatically have access to the CloudTrail Event history. The CloudTrail Event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of recorded management events in an AWS Region. For more information, see Working with CloudTrail Event history in the AWS CloudTrail User Guide. There are no CloudTrail charges for viewing the Event history.

For an ongoing record of events in your AWS account past 90 days, create a trail or a CloudTrail Lake event data store.

CloudTrail trails

A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. All trails created using the AWS Management Console are multi-Region. You can create a single-Region or a multi-Region trail by using the AWS CLI. Creating a multi-Region trail is recommended because you capture activity in all AWS Regions in your account. If you create a single-Region trail, you can view only the events logged in the trail's AWS Region. For more information about trails, see Creating a trail for your AWS account and Creating a trail for an organization in the AWS CloudTrail User Guide.

You can deliver one copy of your ongoing management events to your Amazon S3 bucket at no charge from CloudTrail by creating a trail, however, there are Amazon S3 storage charges. For more information about CloudTrail pricing, see AWS CloudTrail Pricing. For information about Amazon S3 pricing, see Amazon S3 Pricing.

CloudTrail Lake event data stores

CloudTrail Lake lets you run SQL-based queries on your events. CloudTrail Lake converts existing events in row-based JSON format to Apache ORC format. ORC is a columnar storage format that is optimized for fast retrieval of data. Events are aggregated into event data stores, which are immutable collections of events based on criteria that you select by applying advanced event selectors. The selectors that you apply to an event data store control which events persist and are available for you to query. For more information about CloudTrail Lake, see Working with AWS CloudTrail Lake in the AWS CloudTrail User Guide.

CloudTrail Lake event data stores and queries incur costs. When you create an event data store, you choose the pricing option you want to use for the event data store. The pricing option determines the cost for ingesting and storing events, and the default and maximum retention period for the event data store. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.

Note

CloudFront is a global service. CloudTrail records events for CloudFront in the US East (N. Virginia) Region. For more information, see Global service events in the AWS CloudTrail User Guide.

If you use temporary security credentials by using AWS Security Token Service, calls to regional endpoints, such as us-west-2, are logged in CloudTrail to their appropriate Region.

For more information about CloudFront endpoints, see CloudFront endpoints and quotas in the AWS General Reference.

CloudFront data events in CloudTrail

Data events provide information about the resource operations performed on or in a resource (for example, reading or writing to a CloudFront distribution). These are also known as data plane operations. Data events are often high-volume activities. By default, CloudTrail doesn’t log data events. The CloudTrail Event history doesn't record data events.

Additional charges apply for data events. For more information about CloudTrail pricing, see AWS CloudTrail Pricing.

You can log data events for the CloudFront resource types by using the CloudTrail console, AWS CLI, or CloudTrail API operations. For more information about how to log data events, see Logging data events with the AWS Management Console and Logging data events with the AWS Command Line Interface in the AWS CloudTrail User Guide.

The following table lists the CloudFront resource types for which you can log data events. The Data event type (console) column shows the value to choose from the Data event type list on the CloudTrail console. The resources.type value column shows the resources.type value, which you would specify when configuring advanced event selectors using the AWS CLI or CloudTrail APIs. The Data APIs logged to CloudTrail column shows the API calls logged to CloudTrail for the resource type.

Data event type (console) resources.type value Data APIs logged to CloudTrail
CloudFront KeyValueStore AWS::CloudFront::KeyValueStore

You can configure advanced event selectors to filter on the eventName, readOnly, and resources.ARN fields to log only those events that are important to you. For more information about these fields, see AdvancedFieldSelector in the AWS CloudTrail API Reference.

CloudFront management events in CloudTrail

Management events provide information about management operations that are performed on resources in your AWS account. These are also known as control plane operations. By default, CloudTrail logs management events.

Amazon CloudFront logs all CloudFront control plane operations as management events. For a list of the Amazon CloudFront control plane operations that CloudFront logs to CloudTrail, see the Amazon CloudFront API Reference.

CloudFront event examples

An event represents a single request from any source and includes information about the requested API operation, the date and time of the operation, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so events don't appear in any specific order.

Example: UpdateDistribution

The following example shows a CloudTrail event that demonstrates the UpdateDistribution operation.

For calls to the CloudFront API, the eventSource is cloudfront.amazonaws.com.

{ "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AIDACKCEVSQ6C2EXAMPLE:role-session-name", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/role-session-name", "accountId": "111122223333", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2024-02-02T19:23:50Z", "mfaAuthenticated": "false" } } }, "eventTime": "2024-02-02T19:26:01Z", "eventSource": "cloudfront.amazonaws.com", "eventName": "UpdateDistribution", "awsRegion": "us-east-1", "sourceIPAddress": "52.94.133.137", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", "requestParameters": { "distributionConfig": { "defaultRootObject": "", "aliases": { "quantity": 3, "items": [ "alejandro_rosalez.awsps.myinstance.com", "cross-testing.alejandro_rosalez.awsps.myinstance.com", "*.alejandro_rosalez.awsps.myinstance.com" ] }, "cacheBehaviors": { "quantity": 0, "items": [] }, "httpVersion": "http2and3", "originGroups": { "quantity": 0, "items": [] }, "viewerCertificate": { "minimumProtocolVersion": "TLSv1.2_2021", "cloudFrontDefaultCertificate": false, "aCMCertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "sSLSupportMethod": "sni-only" }, "webACLId": "arn:aws:wafv2:us-east-1:111122223333:global/webacl/testing-acl/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "customErrorResponses": { "quantity": 0, "items": [] }, "logging": { "includeCookies": false, "prefix": "", "enabled": false, "bucket": "" }, "priceClass": "PriceClass_All", "restrictions": { "geoRestriction": { "restrictionType": "none", "quantity": 0, "items": [] } }, "isIPV6Enabled": true, "callerReference": "1578329170895", "continuousDeploymentPolicyId": "", "enabled": true, "defaultCacheBehavior": { "targetOriginId": "d111111abcdef8", "minTTL": 0, "compress": false, "maxTTL": 31536000, "functionAssociations": { "quantity": 0, "items": [] }, "trustedKeyGroups": { "quantity": 0, "items": [], "enabled": false }, "smoothStreaming": false, "fieldLevelEncryptionId": "", "defaultTTL": 86400, "lambdaFunctionAssociations": { "quantity": 0, "items": [] }, "viewerProtocolPolicy": "redirect-to-https", "forwardedValues": { "cookies": {"forward": "none"}, "queryStringCacheKeys": { "quantity": 0, "items": [] }, "queryString": false, "headers": { "quantity": 1, "items": ["*"] } }, "trustedSigners": { "items": [], "enabled": false, "quantity": 0 }, "allowedMethods": { "quantity": 2, "items": [ "HEAD", "GET" ], "cachedMethods": { "quantity": 2, "items": [ "HEAD", "GET" ] } } }, "staging": false, "origins": { "quantity": 1, "items": [ { "originPath": "", "connectionTimeout": 10, "customOriginConfig": { "originReadTimeout": 30, "hTTPSPort": 443, "originProtocolPolicy": "https-only", "originKeepaliveTimeout": 5, "hTTPPort": 80, "originSslProtocols": { "quantity": 3, "items": [ "TLSv1", "TLSv1.1", "TLSv1.2" ] } }, "id": "d111111abcdef8", "domainName": "d111111abcdef8.cloudfront.net", "connectionAttempts": 3, "customHeaders": { "quantity": 0, "items": [] }, "originShield": {"enabled": false}, "originAccessControlId": "" } ] }, "comment": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "id": "EDFDVBD6EXAMPLE", "ifMatch": "E1RTLUR9YES76O" }, "responseElements": { "distribution": { "activeTrustedSigners": { "quantity": 0, "enabled": false }, "id": "EDFDVBD6EXAMPLE", "domainName": "d111111abcdef8.cloudfront.net", "distributionConfig": { "defaultRootObject": "", "aliases": { "quantity": 3, "items": [ "alejandro_rosalez.awsps.myinstance.com", "cross-testing.alejandro_rosalez.awsps.myinstance.com", "*.alejandro_rosalez.awsps.myinstance.com" ] }, "cacheBehaviors": {"quantity": 0}, "httpVersion": "http2and3", "originGroups": {"quantity": 0}, "viewerCertificate": { "minimumProtocolVersion": "TLSv1.2_2021", "cloudFrontDefaultCertificate": false, "aCMCertificateArn": "arn:aws:acm:us-east-1:111122223333:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "sSLSupportMethod": "sni-only", "certificateSource": "acm", "certificate": "arn:aws:acm:us-east-1:111122223333:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "webACLId": "arn:aws:wafv2:us-east-1:111122223333:global/webacl/testing-acl/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "customErrorResponses": {"quantity": 0}, "logging": { "includeCookies": false, "prefix": "", "enabled": false, "bucket": "" }, "priceClass": "PriceClass_All", "restrictions": { "geoRestriction": { "restrictionType": "none", "quantity": 0 } }, "isIPV6Enabled": true, "callerReference": "1578329170895", "continuousDeploymentPolicyId": "", "enabled": true, "defaultCacheBehavior": { "targetOriginId": "d111111abcdef8", "minTTL": 0, "compress": false, "maxTTL": 31536000, "functionAssociations": {"quantity": 0}, "trustedKeyGroups": { "quantity": 0, "enabled": false }, "smoothStreaming": false, "fieldLevelEncryptionId": "", "defaultTTL": 86400, "lambdaFunctionAssociations": {"quantity": 0}, "viewerProtocolPolicy": "redirect-to-https", "forwardedValues": { "cookies": {"forward": "none"}, "queryStringCacheKeys": {"quantity": 0}, "queryString": false, "headers": { "quantity": 1, "items": ["*"] } }, "trustedSigners": { "enabled": false, "quantity": 0 }, "allowedMethods": { "quantity": 2, "items": [ "HEAD", "GET" ], "cachedMethods": { "quantity": 2, "items": [ "HEAD", "GET" ] } } }, "staging": false, "origins": { "quantity": 1, "items": [ { "originPath": "", "connectionTimeout": 10, "customOriginConfig": { "originReadTimeout": 30, "hTTPSPort": 443, "originProtocolPolicy": "https-only", "originKeepaliveTimeout": 5, "hTTPPort": 80, "originSslProtocols": { "quantity": 3, "items": [ "TLSv1", "TLSv1.1", "TLSv1.2" ] } }, "id": "d111111abcdef8", "domainName": "d111111abcdef8.cloudfront.net", "connectionAttempts": 3, "customHeaders": {"quantity": 0}, "originShield": {"enabled": false}, "originAccessControlId": "" } ] }, "comment": "HIDDEN_DUE_TO_SECURITY_REASONS" }, "aliasICPRecordals": [ { "cNAME": "alejandro_rosalez.awsps.myinstance.com", "iCPRecordalStatus": "APPROVED" }, { "cNAME": "cross-testing.alejandro_rosalez.awsps.myinstance.com", "iCPRecordalStatus": "APPROVED" }, { "cNAME": "*.alejandro_rosalez.awsps.myinstance.com", "iCPRecordalStatus": "APPROVED" } ], "aRN": "arn:aws:cloudfront::111122223333:distribution/EDFDVBD6EXAMPLE", "status": "InProgress", "lastModifiedTime": "Feb 2, 2024 7:26:01 PM", "activeTrustedKeyGroups": { "enabled": false, "quantity": 0 }, "inProgressInvalidationBatches": 0 }, "eTag": "E1YHBLAB2BJY1G" }, "requestID": "4e6b66f9-d548-11e3-a8a9-73e33example", "eventID": "5ab02562-0fc5-43d0-b7b6-90293example", "readOnly": false, "eventType": "AwsApiCall", "apiVersion": "2020_05_31", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "cloudfront.amazonaws.com" }, "sessionCredentialFromConsole": "true" }

Example: UpdateKeys

The following example shows a CloudTrail event that demonstrates the UpdateKeys operation.

For calls to the CloudFront KeyValueStore API, the eventSource is edgekeyvaluestore.amazonaws.com instead of cloudfront.amazonaws.com.

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AIDACKCEVSQ6C2EXAMPLE:role-session-name", "arn": "arn:aws:sts::111122223333:assumed-role/Admin/role-session-name", "accountId": "111122223333", "accessKeyId": "ASIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AIDACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "attributes": { "creationDate": "2023-11-01T23:41:14Z", "mfaAuthenticated": "false" } } }, "eventTime": "2023-11-01T23:41:28Z", "eventSource": "edgekeyvaluestore.amazonaws.com", "eventName": "UpdateKeys", "awsRegion": "us-east-1", "sourceIPAddress": "3.235.183.252", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36, "requestParameters": { "kvsARN": "arn:aws:cloudfront::111122223333:key-value-store/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ifMatch": "KV3O6B1CX531EBP", "deletes": [ {"key": "key1"} ] }, "responseElements": { "itemCount": 0, "totalSizeInBytes": 0, "eTag": "KVDC9VEVZ71ZGO" }, "requestID": "5ccf104c-acce-4ea1-b7fc-73e33example", "eventID": "a0b1b5c7-906c-439d-9925-90293example", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::CloudFront::KeyValueStore", "ARN": "arn:aws:cloudfront::111122223333:key-value-store/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111122223333", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "111122223333.cloudfront-kvs.global.api.aws" } }

For information about CloudTrail record contents, see CloudTrail record contents in the AWS CloudTrail User Guide.