By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I store CloudFront standard logs in a CloudWatch logs group in my home region?

0

I'm building a web app that uses CloudFront. My home region is eu-west-2 (London). I want to capture the standard logs from CloudFront into a CloudWatch Logs log group in my home region. What's the easiest way to do that?

Via the console I can't configure CloudWatch Logs at all. The console is locked into choosing delivery to S3. See screenshot.

Enter image description here

I read about how to configure it via the API. See docs.

Via the API I can configure CloudWatch Logs as a destination, but not in my home region.

Configuring CloudFront as a delivery source works.

aws logs put-delivery-source \
--region us-east-1 \
--name distribution-delivery \
--resource-arn arn:aws:cloudfront::111111111111:distribution/E1111111111111 \
--log-type ACCESS_LOGS
{
    "deliverySource": {
        "name": "distribution-delivery",
        "arn": "arn:aws:logs:us-east-1:111111111111:delivery-source:distribution-delivery",
        "resourceArns": [
            "arn:aws:cloudfront::111111111111:distribution/E1111111111111"
        ],
        "service": "cloudfront",
        "logType": "ACCESS_LOGS"
    }
}

Configuring CloudWatch Logs as a delivery destination works in us-east-1.

aws logs put-delivery-destination \
--region us-east-1 \
--name cwlogs-destination \
--delivery-destination-configuration \
    destinationResourceArn=arn:aws:logs:us-east-1:111111111111:log-group:cloudfront-test:*
{
    "deliveryDestination": {
        "name": "cwlogs-destination",
        "arn": "arn:aws:logs:us-east-1:111111111111:delivery-destination:cwlogs-destination",
        "deliveryDestinationType": "CWL",
        "deliveryDestinationConfiguration": {
            "destinationResourceArn": "arn:aws:logs:us-east-1:111111111111:log-group:cloudfront-test:*"
        }
    }
}

Configuring CloudWatch Logs as a delivery destination doesn't work in my home region eu-west-2.

aws logs put-delivery-destination \
--region us-east-1 \
--name cwlogs-destination \
--delivery-destination-configuration \
    destinationResourceArn=arn:aws:logs:eu-west-2:111111111111:log-group:cloudfront-test:*
An error occurred (ValidationException) when calling the PutDeliveryDestination operation: Region from identity does not match the Destination Resource ARN.
Topics
Networking & Content DeliveryManagement & Governance
Tags
Amazon CloudFrontAmazon CloudWatch Logs
Language
English
Iain Elder
asked 19 days ago77 views
1 Answer
0
Accepted Answer

Unfortunately, it's not possible to directly store CloudFront standard logs in a CloudWatch Logs group in your home region (eu-west-2) using native AWS services. CloudFront logs are always delivered from the us-east-1 region, which is why you're encountering issues when trying to configure a destination in eu-west-2.

To achieve your goal of having CloudFront logs in your home region, you'll need to set up a two-step process:

  1. First, configure CloudFront to deliver logs to a CloudWatch Logs group in us-east-1, as you've already done.

  2. Then, set up a log data transfer from the us-east-1 log group to a log group in your eu-west-2 region.

Here's a high-level approach to accomplish this:

  1. Create a CloudWatch Logs group in us-east-1 to receive the CloudFront logs.

  2. Configure CloudFront to send logs to this us-east-1 log group using the method you've already demonstrated.

  3. Create a Lambda function in us-east-1 that will be triggered by new log events in the us-east-1 log group.

  4. This Lambda function should process the incoming logs and forward them to a CloudWatch Logs group in eu-west-2.

  5. Set up the necessary IAM permissions for the Lambda function to read from the us-east-1 log group and write to the eu-west-2 log group.

  6. Create a CloudWatch Events rule to trigger the Lambda function periodically or in response to log events.

This approach, while not as straightforward as directly logging to your home region, will allow you to have the CloudFront logs available in your eu-west-2 region. Keep in mind that this solution will incur additional costs for the Lambda function executions and data transfer between regions.

If you prefer a managed solution, you might consider using AWS services like Kinesis Data Firehose or AWS DataSync to transfer the logs between regions, though these would also involve additional setup and costs.
Sources
Send CloudFront logs to CloudWatch | AWS re:Post
Standard logging (access logs) - Amazon CloudFront

profile picture
re:Post Agent
answered 19 days ago
profile picture
EXPERT
Mikel Del Tio
reviewed 19 days ago
profile picture
EXPERT
Gary Mclean
reviewed 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content