How do I turn on logging for my CloudFront distribution?

Short description

CloudFront standard logs, or access logs, detail every request that's made to a CloudFront distribution. These logs are delivered to an Amazon Simple Storage Service (Amazon S3) bucket. CloudFront doesn’t charge for standard logs. However, you can accrue Amazon S3 charges for storing and accessing files on Amazon S3.

CloudFront real-time logs provide information about requests made to a distribution as they occur. You configure the percentage of requests and specific fields that you want to receive in the log records. These logs are delivered to Amazon Kinesis Data Streams. Real-time logs are charged based on the number of log lines that are generated. For more information about CloudFront pricing, see CloudFront Pricing. For more information about Kinesis Data Streams costs, see Amazon Kinesis Data Streams Pricing.

Resolution

Turn on CloudFront standard logs

Before turning on standard access logs for your CloudFront distribution, note:

• Don’t choose an Amazon S3 bucket with S3 Object Ownership set to Bucket owner enforced. This setting removes network access control lists (ACL) for the bucket and the objects in it, which means that CloudFront can't deliver log files to the bucket.
• CloudFront doesn't deliver standards logs to Amazon S3 buckets in the following AWS Regions: Africa (Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Jakarta), Europe (Milan), and Middle East (Bahrain).
• Your AWS account must have the s3:GetBucketAcl and s3:PutBucketAcl permissions for the Amazon S3 bucket where you want to deliver the logs.
• The network ACL for the Amazon S3 bucket must grant your AWS account FULL_CONTROL. If you're the bucket owner, then your account has this permission by default. If you're not the bucket owner, then the bucket owner must update the ACL for the bucket.
• If the Amazon S3 bucket uses server-side encryption with AWS KMS keys (SSE-KMS) using a customer managed key, then you must have the Required key policy for SSE-KMS buckets.

To turn on standard logging for a CloudFront distribution, follow these steps:

1. Access the CloudFront console.
2. Choose the distribution you want to update.
3. On the General tab, under Settings, choose Edit.
4. For Standard logging, select On.
5. Choose the S3 bucket where you want CloudFront to deliver the log files. You can specify an optional prefix for the file names.
6. (Optional) For Cookie logging, select On or Off. If turned on, CloudFront logs the cookies in all requests regardless of which cookies you choose to forward to the origin.
7. Choose Save changes.

Turn on CloudFront real-time logs

1. Access the CloudFront console.
2. From the left-hand navigation, select Logs.
3. Choose the Real-time configurations tab.
4. Choose Create configuration.
5. For Sampling rate, enter the percentage of requests for which you want to receive real-time log records.
6. For Fields, choose the specific fields that you want to receive in the log records. In the Choose options dropdown list, select any fields that you want to include in the configuration.
7. Choose one or more Kinesis data streams to receive real-time logs.
   Note: CloudFront real-time logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams. To read and analyze your real-time logs, you can build your own Kinesis data stream consumer. Or, use Amazon Kinesis Data Firehose to send the log data to Amazon S3, Amazon Redshift, Amazon OpenSearch Service, or a third-party log processing service.
8. For IAM role, choose Create new service role for the console to create an IAM role for you. To use this option, you must have permission to create IAM roles.
   -or-
   Use an existing IAM role.
9. (Optional) In the Distribution section, choose a CloudFront distribution and cache behavior to attach to the real-time log configuration.
10. Choose Create configuration.