Logging and monitoring in CloudFront
AWS provides several tools for monitoring your CloudFront resources and activity logs to help you respond to potential incidents.
When you enable AWS WAF for your distribution, CloudFront creates a security dashboard for each of your distributions. The unified dashboards can help you focus on making decisions and taking actions inline without writing security rules. Dynamic visual cues like aggregation by IP address, country, HTTP method, and URI path can help you simplify the investigative process while visual blocking actions make it easy to apply mitigating actions in one click.
CloudFront is also integrated with Amazon CloudWatch
For example, receiving a notification when the 4xx error rate exceeds 1% (which helps you identify clients receiving 403 Forbidden errors) allows you to quickly identify the start of a possible DDoS attack. So does receiving a notification that the total amount of requests exceeds an expected value.
There are up to eight additional CloudFront metrics that you can enable for an additional cost. These metrics must be enabled for each individual distribution that require them. For example, you can monitor and combine error rate and cache hit rate to measure CloudFront efficiency or monitor a drop in the cache hit ratio. For more information, see Turning on additional CloudFront distribution metrics.
Default metrics like requests, data transfer, error rate and additional metrics, if enabled, are also
displayed in a set of graphs in the CloudFront console
Another service that can provide valuable monitoring and visibility is Amazon Route 53, which offers the option to create health checks to monitor the health and performance of your web applications, and alert when there are significant changes based on your configured settings. For health check examples to set for CloudFront distributions, see Amazon CloudFront distributions health check examples.
You have also the option to enable CloudFront access logs,
which provide detailed records about requests that are made to a distribution. This access log
information is useful in security and access audits. You can enable standard logs at no
additional cost, which are delivered to the Amazon S3 bucket of your choice. Another option is
CloudFront Real-Time Logs, which, for a cost
It’s good practice to review CloudFront service activity with AWS CloudTrail
CloudTrail helps you track and automatically respond to activity threatening the security of
your AWS resources with Amazon EventBridge integration. You can
monitor specific CloudFront API requests by creating EventBridge rules. A rule matches incoming
events and routes them to targets for processing. For example, you can create a rule to
trigger an Amazon SNS topic when the API UpdateDistribution
is requested.