Logging and monitoring in CloudFront - Secure Content Delivery with Amazon CloudFront

Logging and monitoring in CloudFront

AWS provides several tools for monitoring your CloudFront resources and activity logs to help you respond to potential incidents.

When you enable AWS WAF for your distribution, CloudFront creates a security dashboard for each of your distributions. The unified dashboards can help you focus on making decisions and taking actions inline without writing security rules. Dynamic visual cues like aggregation by IP address, country, HTTP method, and URI path can help you simplify the investigative process while visual blocking actions make it easy to apply mitigating actions in one click.

CloudFront is also integrated with Amazon CloudWatch, which provides data and actionable insights from your AWS resources. CloudFront automatically publishes six operational metrics per distribution to CloudWatch. You can monitor these metrics to detect anomalous behavior and create alarms. You can watch metrics over defined time periods and if the metric exceeds a given threshold, a notification is sent to an Amazon SNS topic or an AWS Auto Scaling policy.

For example, receiving a notification when the 4xx error rate exceeds 1% (which helps you identify clients receiving 403 Forbidden errors) allows you to quickly identify the start of a possible DDoS attack. So does receiving a notification that the total amount of requests exceeds an expected value.

There are up to eight additional CloudFront metrics that you can enable for an additional cost. These metrics must be enabled for each individual distribution that require them. For example, you can monitor and combine error rate and cache hit rate to measure CloudFront efficiency or monitor a drop in the cache hit ratio. For more information, see Turning on additional CloudFront distribution metrics.

Default metrics like requests, data transfer, error rate and additional metrics, if enabled, are also displayed in a set of graphs in the CloudFront console and are also accessible through the AWS CLI or the CloudWatch API.

Another service that can provide valuable monitoring and visibility is Amazon Route 53, which offers the option to create health checks to monitor the health and performance of your web applications, and alert when there are significant changes based on your configured settings. For health check examples to set for CloudFront distributions, see Amazon CloudFront distributions health check examples.

You have also the option to enable CloudFront access logs, which provide detailed records about requests that are made to a distribution. This access log information is useful in security and access audits. You can enable standard logs at no additional cost, which are delivered to the Amazon S3 bucket of your choice. Another option is CloudFront Real-Time Logs, which, for a cost, are delivered within seconds of receiving the requests to Amazon Kinesis Data Streams. Querying both standard access and real-time logs enables you to explore usage patterns across your web properties that are served by CloudFront. For example, you can query for detailed HTTP status code responses on a certain day or hour, or statistics based on the URI paths.

It’s good practice to review CloudFront service activity with AWS CloudTrail, which provides a record of actions taken by a user, role, or AWS service in CloudFront by automatically recording and storing event logs. Using the information collected by CloudTrail, you can determine API calls made to CloudFront, the IP address from which the call was made, who made it, when it was made, and other additional details. For example, calls to the CreateDistribution, GetDistribution, and ListInvalidation APIs generate entries in CloudTrail log files.

CloudTrail helps you track and automatically respond to activity threatening the security of your AWS resources with Amazon EventBridge integration. You can monitor specific CloudFront API requests by creating EventBridge rules. A rule matches incoming events and routes them to targets for processing. For example, you can create a rule to trigger an Amazon SNS topic when the API UpdateDistribution is requested.