Secure Content Delivery with Amazon CloudFront AWS Whitepaper
audits. You can enable standard logs at no additional cost, which are delivered to the Amazon S3
bucket of your choice. Another option is CloudFront Real-Time Logs, which, for a cost, are delivered
within seconds of receiving the requests to Amazon Kinesis Data Streams. Querying both standard
access and real-time logs enables you to explore usage patterns across your web properties that
are served by CloudFront. For example, you can query for detailed HTTP status code responses on a
certain day or hour, or statistics based on the URI paths.
It’s good practice to review CloudFront service activity with AWS CloudTrail, which provides a
record of actions taken by a user, role, or AWS service in CloudFront by automatically recording
and storing event logs. Using the information collected by CloudTrail, you can determine API calls
made to CloudFront, the IP address from which the call was made, who made it, when it was made,
and other additional details. For example, calls to the CreateDistribution, GetDistribution, and
ListInvalidation APIs generate entries in CloudTrail log files.
CloudTrail helps you track and automatically respond to activity threatening the security of your
AWS resources with Amazon EventBridge integration. You can monitor specific CloudFront API
requests by creating EventBridge rules. A rule matches incoming events and routes them to targets
for processing. For example, you can create a rule to trigger an Amazon SNS topic when the API
UpdateDistribution is requested.
Configuration management
To record and evaluate configurations of your AWS resources, you can use AWS Config, which
provides you with a detailed view of the configuration of your distributions. This includes how
the resources are related to one another and how they were configured in the past, so you can
review changes over time. Examples of CloudFront-related resources are AWS WAF WebACL, AWS
Certificate Manager, and S3 buckets.
You can also evaluate configurations against desired configurations with AWS Config Rules. For
example, AWS Config Rules helps you to evaluate whether your CloudFront resources comply with
common security best practices. You can choose managed rules like viewer policy HTTPS, SNI
enabled, OAC enabled, origin failover enabled, AWS WAF WebACL, or Shield Advanced resource
policies to be triggered when the configuration changes. Managed rules can periodically run
evaluations at a frequency that you choose; for example, every 24 hours. AWS Firewall Manager
relies on AWS Config for automatic alerts and remediations. You can find the list of all AWS Config
managed rules that apply to CloudFront distributions in the AWS Config Developer Guide.
Configuration management 19