Monitoring CloudFront Functions - Amazon CloudFront

Monitoring CloudFront Functions

CloudFront Functions sends operational metrics to Amazon CloudWatch so that you can monitor your functions. Viewing these metrics can help you troubleshoot, track, and debug issues.

You can use Amazon CloudWatch Logs to get your function logs (console.log() statements).

In addition to function logs, the per-request log entries in CloudFront standard logs (access logs) and CloudFront real-time logs contain information about any errors that occur when your functions are run.


CloudFront Functions sends metrics and logs to CloudWatch only for functions in the LIVE stage that run in response to production requests and responses. When you test a function, CloudFront doesn’t send any metrics or logs to CloudWatch. The test output contains information about errors, compute utilization, and function logs (console.log() statements), but this information is not sent to CloudWatch.


CloudFront Functions publishes the following metrics to CloudWatch:

  • Invocations (FunctionInvocations) – The number of times the function was started (invoked) in a given time period.

  • Validation errors (FunctionValidationErrors) – The number of validation errors produced by the function in a given time period. Validation errors occur when the function runs successfully but returns invalid data (an invalid event object).

  • Execution errors (FunctionExecutionErrors) – The number of execution errors that occurred in a given time period. Execution errors occur when the function fails to complete successfully.

  • Compute utilization (FunctionComputeUtilization) – The amount of time that the function took to run as a percentage of the maximum allowed time. For example, a value of 35 means that the function completed in 35% of the maximum allowed time. This metric is a number between 0 and 100.

  • Throttles (FunctionThrottles) – The number of times that the function was throttled in a given time period. Functions can be throttled for the following reasons:

    • The function continuously exceeds the maximum time allowed for execution

    • The function results in compilation errors

    • There is an unusually high number of requests per second

To view these metrics in the CloudFront console, go to the Monitoring page. To view graphs for a specific function, choose Functions, select the function, and then choose View function metrics.

All of these metrics are published to CloudWatch in the US East (N. Virginia) Region (us-east-1), in the CloudFront namespace. You can also view these metrics in the CloudWatch console. In the CloudWatch console, you can view the metrics per function or per function per distribution.

You can also use CloudWatch to set alarms based on these metrics. For example, you can set an alarm based on the execution time metric, which represents the percentage of available time that your function took to run. When the execution time reaches a certain value for a certain amount of time—for example, greater than 70% of available time for 15 continuous minutes—the alarm is triggered. You specify the alarm’s value and its time unit when you create the alarm.


If a function’s code contains console.log() statements, CloudFront Functions automatically sends these log lines to CloudWatch Logs. If there are no console.log() statements, nothing is sent to CloudWatch Logs. You can access the log files using the CloudWatch console or the CloudWatch Logs API.

CloudFront Functions always creates log streams in the US East (N. Virginia) Region (us-east-1), no matter which edge location ran the function. The log group name is in the format /aws/cloudfront/function/FunctionName where FunctionName is the name that you gave to the function when you created it. The log stream name is in the format YYYY/M/D/UUID.

The following shows an example log message sent to CloudWatch Logs. Each line begins with an ID that uniquely identifies a CloudFront request. The message begins with a START line that includes the CloudFront distribution ID, and ends with an END line. Between the START and END lines are the log lines generated by console.log() statements in the function.

U7b4hR_RaxMADupvKAvr8_m9gsGXvioUggLV5Oyq-vmAtH8HADpjhw== START DistributionID: E3E5D42GADAXZZ U7b4hR_RaxMADupvKAvr8_m9gsGXvioUggLV5Oyq-vmAtH8HADpjhw== Example function log output U7b4hR_RaxMADupvKAvr8_m9gsGXvioUggLV5Oyq-vmAtH8HADpjhw== END

CloudFront Functions uses an AWS Identity and Access Management (IAM) service-linked role to send logs to CloudWatch Logs in your account. A service-linked role is an IAM role that is linked directly to an AWS service. Service-linked roles are predefined by the service and include all of the permissions that the service requires to call other AWS services on your behalf. CloudFront Functions uses a service-linked role called AWSServiceRoleForCloudFrontLogger. For more information about this role, see Service-linked roles for Lambda@Edge (Lambda@Edge uses the same service-linked role).

CloudFront Functions integration with CloudFront logs

When a function fails with a validation error or an execution error, information is logged in CloudFront’s standard logs and real-time logs. Information about the error is logged in the x-edge-result-type, x-edge-response-result-type, and x-edge-detailed-result-type fields. For more information about CloudFront logs, see CloudFront logging.