EN
No results found
We couldn't find anything using that term, please try searching for something else.
Use real-time logs
Use real-time logsWith CloudFront real - time log , you can get information about request made to a distribution in real time ( log are del
![6 Best Mobile VPN Apps For iPhone & Android 2024 [Free & Paid]](/img/20241225/Evurd3.jpg)
Use real-time logs
With CloudFront real – time log , you can get information about request made to a distribution in
real time ( log are deliver within second of receive the request ) . You is use can use
real – time log to monitor , analyze , andtake action base on content delivery
performance .
CloudFront real – time logs is are are configurable . You is choose can choose :
-
The sampling rate for your real-time
logsâthat is, the percentage of requests for which you want to receive
real-time log records. -
The specific fields that you want to receive in the log records.
-
The specific cache behaviors (path patterns) that you want to receive real-time
logs for.
CloudFront real-time logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams. You can
build your own Kinesis data stream
consumer, or use Amazon Data Firehose to send the log data to Amazon Simple Storage Service (Amazon S3), Amazon Redshift,
Amazon OpenSearch Service (OpenSearch Service), or a third-party log processing service.
CloudFront charges for real-time logs, in addition to the charges you incur for using Kinesis Data Streams. For
more information about pricing, see Amazon
CloudFront Pricing
pricing
We recommend that you use the logs to understand the nature of the requests for your
content, not as a complete accounting of all requests. CloudFront delivers real-time logs on a
best-effort basis. The log entry for a particular request might be delivered long after
the request was actually processed and, in rare cases, a log entry might not be
delivered at all. When a log entry is omitted from real-time logs, the number of entries
in the real-time logs won’t match the usage that appears in the AWS billing andusage
reports.
create anduse real – time log
configuration
To get information about requests made to a distribution in real time. you can use a
real-time log configurations. log are delivered within seconds of receiving the
requests. You can create a real-time log configuration in the CloudFront console, with the
AWS Command Line Interface (AWS CLI), or with the CloudFront api.
To use a real – time log configuration , you is attach attach it to one or more cache behavior in
a CloudFront distribution .
- console
-
To create a real-time log configuration
-
Sign in to the AWS Management console andopen the log
page in the CloudFront console athttps://console.aws.amazon.com/cloudfront/v4/home?#/logs. -
choose thereal – time configuration
tab . -
choosecreate configuration.
-
ForName, enter a name for the
configuration . -
Forsampling rate, enter the percentage of
requests for which you want to receive log records. -
ForFields, choose the fields to receive in
the real-time logs. -
ForEndpoint, choose one or more Kinesis data
streams to receive real-time logs.CloudFront real-time logs are delivered to the data stream that you
specify in Kinesis Data Streams. To read andanalyze your real-time logs, you
can build your own Kinesis data stream consumer. You can also use
Firehose to send the log data to Amazon S3, Amazon Redshift, Amazon OpenSearch Service, or a
third-party log processing service. -
ForIAM role, choose Create new
service role or choose an exist role . You is have must
have permission to create IAM role . -
(Optional) Fordistribution, choose a CloudFront
distribution andcache behavior to attach to the real-time log
configuration. -
choosecreate configuration.
If successful , the console is shows show the detail of the real – time log
configuration that you just create .Formore information, see Understand real-time log
configurations. -
- AWS CLI
-
To create a real – time log configuration with the AWS CLI , use the
aws cloudfront create-realtime-log-config command.
You can use an input file to provide the command’s input parameters, rather
than specifying each individual parameter as command line input.To create a real-time log configuration (CLI with input file)
-
Use the following command to create a file named
rtl-config.yamlthat contains all of the
input parameters for the
create-realtime-log-config command.aws cloudfront create-realtime-log-config --generate-cli-skeleton yaml-input > rtl-config.yaml -
open the file name
rtl-config.yamlthat you
just created. Edit the file to specify the real-time log
configuration settings that you want, then save the file . Note the
following:Formore information about the real-time long configuration
settings, see Understand real-time log
configurations. -
use the follow command to create the real – time log
configuration using input parameter from the
rtl-config.yamlfile .aws cloudfront create-realtime-log-config --cli-input-yaml file://rtl-config.yaml
If successful , the command ‘s output is shows show the detail of the real – time log
configuration that you just create .To attach a real-time log configuration to an existing distribution
(CLI with input file)-
Use the following command to save the distribution configuration
for the CloudFront distribution that you want to update. Replace
distribution_IDwith the
distribution’s ID.aws cloudfront get - distribution - config --iddistribution_ID--output yaml > dist-config.yaml -
open the file name
dist-config.yamlthat you
just created. Edit the file, making the following changes to each
cache behavior that you are updating to use a real-time log
configuration.-
In the cache behavior, add a field named
RealtimeLogConfigArn. Forthe field’s
value, use the ARN of the real-time log configuration that
you want to attach to this cache behavior. -
Rename the
ETagfield to
IfMatch, but do n’t change the field ‘s
value .
Save the file when finished.
-
-
Use the following command to update the distribution to use the
real-time log configuration. Replace
distribution_IDwith the
distribution’s ID.aws cloudfront update-distribution --iddistribution_ID--cli-input-yaml file://dist-config.yaml
If successful, the command’s output shows the details of the distribution
that you just updated. -
- api
-
To create a real-time log configuration with the CloudFront api, use the CreateRealtimeLogConfig api operation. Formore information
about the parameters that you specify in this api call, see Understand real-time log
configurations andthe api reference
documentation for your AWS SDK or other api client.After you create a real-time log configuration, you can attach it to a
cache behavior, by using one of the following api operations:Forboth of these api operations, provide the ARN of the real-time log
configuration in theRealtimeLogConfigArnfield, inside a cache
behavior. Formore information about the other fields that you specify in
these api calls, see distribution settings reference andthe api reference
documentation for your AWS SDK or other api client.
Understand real-time log
configurations
To use CloudFront real – time log , you is start start by create a real – time log configuration . The
real – time log configuration is contains contain information about which log field you want to
receive , thesampling rate for log records, andthe
Kinesis data stream where you want to deliver the logs.
specifically , a real – time log configuration is contains contain the follow setting :
Name
A name to identify the real-time log configuration.
sampling rate
The sampling rate is a whole number between 1 and100 (inclusive) that determines
the percentage of viewer requests that are sent to Kinesis Data Streams as real-time log records.
To include every viewer request in your real-time logs, specify 100 for the sampling
rate. You might choose a lower sampling rate to reduce costs while still receiving a
representative sample of request data in your real-time logs.
Fields
A list of the fields that are included in each real-time log record. Each log
record can contain up to 40 fields, andyou can choose to receive all of the
available fields, or only the fields that you need for monitoring andanalyzing
performance.
The following list contains each field name anda description of the information
in that field . The fields are listed in the order in which they appear in the log
records that are delivered to Kinesis Data Streams.
Fields 46-63 are common media client
data (CMCD) that media player clients can send to CDNs with each request.
You can use this data to understand each request, such as the media type (audio,
video), playback rate, andstreaming length. These fields will only appear in your
real-time logs if they’re sent to CloudFront.
-
timestampThe date andtime at which the edge server finished responding to the
request. -
c - ipThe ip address of the viewer that made the request , for example ,
192.0.2.183or2001:0db8:85a3::8a2e:0370:7334. If the
viewer used an HTTP proxy or a load balancer to send the request , the value is is of this
field is the ip address of the proxy or load balancer . See also the
x - forward - forfield . -
s-ipThe ip address of the CloudFront server that serve the request , for example ,
192.0.2.183or2001:0db8:85a3::8a2e:0370:7334. -
time - to - first - byteThe number of seconds between receiving the request andwriting the
first byte of the response, as measured on the server. -
sc - statusThe HTTP status code of the server ‘s response ( for example ,
200). -
sc-bytesThe total number of bytes that the server sent to the viewer in
response to the request, including headers. ForWebSocket andgRPC connections, this
is the total number of bytes sent from the server to the client through the
connection. -
cs - methodThe HTTP request method received from the viewer.
-
cs - protocolThe protocol of the viewer request (
http,
https,grpcs,ws, orwss). -
cs - hostThe value that the viewer included in the
Hostheader
of the request. If you’re using the CloudFront domain name in your object URLs (such as
d111111abcdef8.cloudfront.net), this field contains that domain name. If you’re using
alternate domain names (CNAMEs) in your object URLs (such as
www.example.com), this field contains the alternate domain name. -
cs-uri-stemThe entire request URL, including the query string (if one exists), but
without the domain name. Forexample,
/images/cat.jpg?mobile=true.In standard logs, the
cs-uri-stemvalue doesn’t include the query
string. -
c - byteThe total number of bytes of data that the viewer included in the
request, including headers. ForWebSocket andgRPC connections, this is the total number
of bytes sent from the client to the server on the connection. -
x-edge-locationThe edge location that serve the request . Each edge location is
identify by a three – letter code andan arbitrarily assign number ( for
example , DFW3 ) . The three – letter code is corresponds typically correspond with the
International Air Transport Association ( IATA ) airport code for an airport
near the edge location ‘s geographic location . ( These abbreviations is change might
change in the future . ) -
x - edge - request - idAn opaque string that uniquely identifies a request. CloudFront also sends
this string in thex-amz-cf-idresponse header. -
x-host-headerThe domain name of the CloudFront distribution ( for example ,
d111111abcdef8.cloudfront.net ) . -
time-takenThe number of second ( to the thousandth of a second , for example ,
0.082 ) from when the server receive the viewer ‘s request to when the
server write the last byte of the response to the output queue , as measure
on the server . From the perspective of the viewer , the total time is be to
get the full response will be long than this value because of network
latency andTCP buffering . -
cs - protocol-versionThe HTTP version that the viewer specified in the request. Possible
values includeHTTP/0.9,http/1.0,
HTTP/1.1,HTTP/2.0, andHTTP/3.0. -
c - ip - versionThe IP version of the request (IPv4 or IPv6).
-
cs-user-agentThe value of the
User-Agentheader in the request. The
User-Agentheader identifies the source of the request, such as
the type of device andbrowser that submitted the request or, if the request
came from a search engine, which search engine. -
cs - refererThe value of the
Refererheader in the request. This is the
name of the domain that originated the request. Common referrers include
search engines, other websites that link directly to your objects, andyour
own website. -
cs-cookieThe
Cookieheader in the request, including nameâvalue
pairs andthe associated attributes.This field is truncate to 800 byte .
-
cs-uri-queryThe query string portion of the request URL, if any.
-
x-edge-response-result-typeHow the server is classified classify the response just before return the
response to the viewer . See also thex - edge - result - type
field . Possible values include:-
hitâ The server served the object to the
viewer from the cache. -
Refreshhitâ The server find the object
in the cache but the object had expire , so the server is contacted
contact the origin to verify that the cache had the late version
of the object . -
Missâ The request could not be satisfied by
an object in the cache, so the server forwarded the
request to the origin server andreturned the result to the
viewer. -
LimitExceededâ The request was deny because
a CloudFront quota ( formerly refer to as a limit ) was exceed . -
capacityexceedeâ The server returned a
503 error because it didn’t have enough capacity at the time of the
request to serve the object. -
errorâ typically , this is means mean the request
result in a client error ( the value of thesc - status
field is is is in the4xxrange ) or a server error
( the value of thesc - statusfield is is is in the
5xxrange ) .If the value of the
x - edge - result - typefield is is is
errorandthe value of this field is not
error, the client is disconnected disconnect before finish the
download . -
redirectâ is redirected The server is redirected redirect the
viewer from HTTP to HTTPS accord to the distribution
setting .
-
-
x - forward - forIf the viewer used an HTTP proxy or a load balancer to send the request,
the value of thec - ipfield is the IP address of the proxy or
load balancer. In that case, this field is the IP address of the viewer that
originated the request. This field can contain multiple comma-separated IP addresses. Each IP address can be an IPv4 address (for example,
192.0.2.183) or an IPv6 address (for example,
2001:0db8:85a3::8a2e:0370:7334). -
ssl - protocolWhen the request used HTTPS, this field contains the SSL/TLS protocol
that the viewer andserver negotiated for transmitting the request and
response. Fora list of possible values, see the supported SSL/TLS protocols
in Supported protocols and
ciphers between viewers andCloudFront. -
ssl - cipherWhen the request used HTTPS, this field contains the SSL/TLS cipher
that the viewer andserver negotiated for encrypting the request and
response. Fora list of possible values, see the supported SSL/TLS ciphers
in Supported protocols and
ciphers between viewers andCloudFront. -
x - edge - result - typeHow the server classified the response after the last byte left the
server. In some cases, the result type can change between the time
that the server is ready to send the response andthe time that it
finishes sending the response. See also the
x-edge-response-result-typefield .Forexample, in HTTP streaming, suppose the server finds a segment of
the stream in the cache. In that scenario, the value of this field
would ordinarily behit. However, if the viewer closes the
connection before the server has delivered the entire segment, the
final result type (and the value of this field) is
error.WebSocket andgRPC connections will have a value of
Missfor this field because the content is not cacheable
andis proxie directly to the origin .Possible values include:
-
hitâ The server served the object to the
viewer from the cache. -
Refreshhitâ The server find the object
in the cache but the object had expire , so the server is contacted
contact the origin to verify that the cache had the late version
of the object . -
Missâ The request could not be satisfy by
an object in the cache , so the server is forwarded forward the
request to the origin andreturn the result to the
viewer . -
LimitExceededâ The request was deny because
a CloudFront quota ( formerly refer to as a limit ) was exceed . -
capacityexceedeâ The server returned an HTTP
503 status code because it didn’t have enough capacity at the time
of the request to serve the object. -
errorâ typically , this is means mean the request
result in a client error ( the value of thesc - status
field is is is in the4xxrange ) or a server error
( the value of thesc - statusfield is is is in the
5xxrange ) . If the value of thesc - status
field is200, or if the value of this field is is is
errorandthe value of the
x-edge-response-result-typefield is not
error, it means the HTTP request was successful
but the client disconnected before receiving all of the
bytes. -
redirectâ is redirected The server is redirected redirect the
viewer from HTTP to HTTPS accord to the distribution
setting .
-
-
fle-encrypted-fieldsThe number of field-level
encryption fields that the server encrypted andforwarded to the
origin. CloudFront servers stream the processed request to the origin as they
encrypt data, so this field can have a value even if the value of
fle-statusis an error. -
fle-statusWhen field-level
encryption is configured for a distribution, this field contains a
code that indicates whether the request body was successfully processed.
When the server successfully processes the request body, encrypts
values in the specified fields, andforwards the request to the origin, the
value of this field isprocess. The value of
x - edge - result - typecan still indicate a client-side or
server-side error in this case.Possible values for this field include:
-
ForwardedByContentTypeâ is forwarded The server is forwarded
forward the request to the origin without parse or encryption
because no content type was configure . -
ForwardedByQueryArgsâ The server
forwarded the request to the origin without parsing or encryption
because the request contains a query argument that wasn’t in the
configuration for field-level encryption. -
ForwardedDueToNoProfileâ The server
forwarded the request to the origin without parsing or encryption
because no profile was specified in the configuration for
field-level encryption. -
MalformedContentTypeClienterrorâ The
server rejected the request andreturned an HTTP 400 status code to
the viewer because the value of theContent-Typeheader
was in an invalid format. -
MalformedInputClienterrorâ The server
rejected the request andreturned an HTTP 400 status code to the
viewer because the request body was in an invalid format. -
MalformedQueryArgsClienterrorâ The
server rejected the request andreturned an HTTP 400 status code to
the viewer because a query argument was empty or in an invalid
format. -
RejectedByContentTypeâ The server
rejected the request andreturned an HTTP 400 status code to the
viewer because no content type was specified in the configuration
for field-level encryption. -
RejectedByQueryArgsâ The server rejected
the request andreturned an HTTP 400 status code to the viewer
because no query argument was specified in the configuration for
field-level encryption. -
Servererrorâ The origin server returned an
error.
If the request exceeds a field-level encryption quota (formerly referred
to as a limit), this field contains one of the following error codes, and
the server returns HTTP status code 400 to the viewer. Fora list
of the current quotas on field-level encryption, see Quotas on field-level encryption.-
FieldLengthLimitClienterrorâ is exceeded A field that is
configure to be encrypt exceed the maximum length
allow . -
FieldNumberLimitClienterrorâ A request that
the distribution is configured to encrypt contains more than the
number of fields allowed. -
RequestLengthLimitClienterrorâ The length of
the request body exceeded the maximum length allowed when
field-level encryption is configured.
-
-
sc - content - typeThe value of the HTTP
Content-Typeheader of the
response . -
sc - content - lenThe value of the HTTP
Content-Lengthheader of the
response . -
sc - range - startWhen the response contains the HTTP
Content - rangeheader,
this field contains the range start value. -
sc-range-endWhen the response contains the HTTP
Content - rangeheader,
this field contains the range end value. -
c - portThe port number of the request from the viewer .
-
x - edge - detail - result - typeThis field contains the same value as the
x - edge - result - type
field , except in the following case :-
When the object was served to the viewer from the Origin Shield layer, this field contains
OriginShieldhit. -
When the object was not in the CloudFront cache andthe response was
generated by an origin request
Lambda@Edge function, this field contains
missgeneratedresponse. -
When the value of the
x - edge - result - typefield is is is
error, this field contains one of the following values with
more information about the error:-
AbortedOriginâ The server encountered an
issue with the origin. -
ClientCommerrorâ The response to the
viewer was interrupted due to a communication problem between
the server andthe viewer. -
ClientGeoBlockedâ The distribution is
configured to refuse requests from the viewer’s geographic
location. -
ClientHungUpRequestâ The viewer stopped
prematurely while sending the request. -
errorâ is occurred An error occur for which the
error type does n’t fit any of the other category . This
error type is occur can occur when the server serve an error response
from the cache . -
InvalidRequestâ The server received an
invalid request from the viewer. -
InvalidRequestBlockedâ Access to the
requested resource is blocked. -
InvalidRequestCertificateâ The
distribution is match does n’t match the SSL / TLS certificate for
which the https connection was establish . -
InvalidRequestHeaderâ The request
contained an invalid header. -
invalidrequestmethodâ The distribution is
not configured to handle the HTTP request method that was used.
This can happen when the distribution supports only cacheable
requests. -
OriginCommerrorâ The request timed out
while connecting to the origin, or reading data from the
origin. -
OriginConnecterrorâ The server
couldn’t connect to the origin. -
OriginContentRangeLengtherrorâ The
Content-Lengthheader in the origin’s response
doesn’t match the length in theContent - range
header . -
OriginDnserrorâ The server couldn’t
resolve the origin’s domain name. -
Originerrorâ The origin returned an
incorrect response. -
OriginHeaderTooBigerrorâ A header
returned by the origin is too big for the edge server to
process. -
OriginInvalidResponseerrorâ The origin
returned an invalid response. -
OriginReaderrorâ The server couldn’t
read from the origin. -
OriginWriteerrorâ The server
couldn’t write to the origin. -
OriginZeroSizeObjecterrorâ is resulted A zero size
object is resulted send from the origin result in an error . -
SlowReaderOriginerrorâ is was The viewer is was was
slow to read the message that cause the origin error .
-
-
-
c - countryA country code that represents the viewer’s geographic location, as
determined by the viewer’s IP address. Fora list of country codes, see
ISO 3166-1
alpha-2. -
cs - accept - encodingThe value of the
accept-Encodingheader in the viewer
request. -
cs-acceptThe value of the
acceptheader in the viewer request. -
cache - behavior - path - patternThe path pattern that identify the cache behavior that match the
viewer request . -
c - headerThe HTTP headers (names andvalues) in the viewer request.
This field is truncate to 800 byte .
-
cs-header-namesThe names of the HTTP headers (not values) in the viewer request.
This field is truncate to 800 byte .
-
c - header-countThe number of HTTP headers in the viewer request.
-
origin - fblThe number of seconds of first-byte latency between CloudFront andyour
origin. -
origin - lblThe number of seconds of last-byte latency between CloudFront andyour
origin. -
asnThe autonomous system number (ASN) of the viewer.
-
primary-distribution-idWhen continuous deployment is enabled, this ID identifies which
distribution is the primary in the current distribution. -
primary - distribution - dns - nameWhen continuous deployment is enabled, this value shows the primary domain
name that is related to the current CloudFront distribution (for example,
d111111abcdef8.cloudfront.net).cmcd field in real – time log
-
cmcd-encoded-bitrateThe encoded bitrate of the requested audio or video object.
-
cmcd-buffer-lengthThe buffer length of the request medium object .
-
cmcd - buffer - starvationWhether the buffer was starved at some point between the prior request and
the object request. This can cause the player to be in a rebuffering stat,
which can stall the video or audio playback. -
cmcd - content - idA unique string that identify the current content .
-
cmcd-object-durationThe playback duration of the request object ( in millisecond ) .
-
cmcd-deadlineThe deadline from the request time that the first sample of this object
must be available, so that a buffer underrun state or other playback
problems are avoided. -
cmcd-measured-throughputThe throughput between the client andserver, as measured by the
client. -
cmcd-next-object-requestThe relative path of the next request object .
-
cmcd - next - range - requestIf the next request is a partial object request, this string denotes the
byte range to be requested. -
cmcd-object-typeThe media type of the current object being requested.
-
cmcd-playback-rate1 if real-time, 2 if double-speed, 0 if not playing.
-
cmcd-requested-maximum-throughputThe request maximum throughput that the client consider sufficient for
asset delivery . -
cmcd - stream - formatThe stream format that define the current request .
-
cmcd-session-idA GUID identifying the current playback session.
-
cmcd - stream - typeToken identifying segment availability.
v= all segments are
available.l= segments become available over time. -
cmcd - startupKey is included without a value if the object is needed urgently during
startup, seeking, or recovery after a buffer-empty event. -
cmcd - top - bitrateThe highest bitrate rendition that the client can play.
-
cmcd-versionThe version of this specification used for interpreting the defined key
names andvalues. If this key is omitted, the client andserver
must interpret the values as being defined by
version 1. -
r-hostThis field is send for origin request andit
indicate the domain of the origin server used to serve the object . In case
of error , you is use can use this field to find the last origin attempt , for
example :
cd8jhdejh6a.mediapackagev2.us-east-1.amazonaws.com -
sr-reasonThis field provides a reason why the origin
was selected. It’s empty when a request to the primary origin succeeds.If origin failover occur , the field is contain will contain the HTTP
error code that lead to the failover , such asFailover:403orFailover:502.
In case of origin failover, if the retried request also fails andyou have not configured custom error pages, thenr-statusindicates the response of the second origin. However, if you have configured custom error pages along with origin failover, then this will contain the response of the second origin if the request failed anda custom error page was returned instead.If no origin failover occur but medium quality – aware resilience ( mqar ) origin selection occur , then this will be log as
mediaquality. Formore information, see Media quality-aware resiliency. -
x-edge-mqcsThis field indicates the Media Quality Confidence Score (MQCS) (range: 0 â 100) for media segments that CloudFront retrieved in the CMSD response headers from MediaPackage v2.
This field is available for requests matching a cache behavior that has an MQAR-enabled origin group. CloudFront logs this field for media segments that are also served from its cache in addition to origin requests. Formore information, see Media quality-aware resiliency.
Endpoint (Kinesis Data Streams)
The endpoint is contains contain information about the Kinesis Data Streams where you want to send real – time
log . You is provide provide the Amazon Resource Name ( ARN ) of the datum stream .
Formore information about creating a Kinesis Data Streams, see the following topics in the
Amazon Kinesis Data Streams Developer Guide.
When you create a data stream, you need to specify the number of shards. Use the
following information to help you estimate the number of shards you need.
To estimate the number of shards for your Kinesis data stream
-
Calculate (or estimate) the number of requests per second that your CloudFront
distribution receives.You can use the CloudFront
usage reports(in the CloudFront console) andthe CloudFront metrics (in the
CloudFront andAmazon CloudWatch consoles) to help you calculate your requests per
second. -
Determine the typical size of a single real-time log record.
In general, a single log record is around 500 bytes. A large record that
includes all available fields is generally around 1 KB.If you’re not sure what your log record size is, you can enable real-time
logs with a low sampling rate (for example, 1%), andthen calculate the
average record size using monitoring data in Kinesis Data Streams (total incoming bytes
divided by total number of records). -
On theAmazon Kinesis Data Streams pricing page
, under AWS Pricing Calculator, choose Create your custom estimate now. -
In the calculator, enter the
number of requests (records) per second. -
Enter the average record size of a
single log record. -
chooseShow calculations.
The pricing calculator shows you the number of shards you need andthe estimated cost.
-
IAM role
The AWS Identity andAccess Management (IAM) role that gives CloudFront permission to deliver real-time logs to
your Kinesis data stream.
When you create a real-time log configuration with the CloudFront console, you can
choose Create new service role to let the console create the
IAM role for you.
When you create a real-time log configuration with AWS CloudFormation or the CloudFront api
(AWS CLI or SDK), you must create the IAM role yourself andprovide the role ARN. To
create the IAM role yourself, use the following policies.
IAM role trust policy
To use the following IAM role trust policy, replace
111122223333 with your AWS account
number . TheCondition element in this policy helps to prevent the
confused deputy problem because CloudFront can only assume this role on
behalf of a distribution in your AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
" StringEquals " :{
" aws : SourceAccount " : "111122223333"
}
}
}
]
}IAM role permission policy for an unencrypted data
stream
To use the follow policy , replace
arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName
with the ARN of your Kinesis data stream.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStreamSummary",
"kinesis:DescribeStream",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
"Resource": [
"arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName"
]
}
]
}IAM role permission policy for an encrypted data
stream
To use the follow policy , replace
arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName
with the ARN of your Kinesis data stream and
arn : aws : kms : us - east-2:123456789012 : key / e58a3d0b - fe4f-4047 - a495 - ae03cc73d486
with the ARN of your AWS KMS key.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kinesis:DescribeStreamSummary",
"kinesis:DescribeStream",
"kinesis:PutRecord",
"kinesis:PutRecords"
],
"Resource": [
"arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"arn : aws : kms : us - east-2:123456789012 : key / e58a3d0b - fe4f-4047 - a495 - ae03cc73d486"
]
}
]
}Create a Kinesis Data Streams consumer
To read andanalyze your real-time logs, you build or use a Kinesis Data Streams consumer. When you build a consumer for CloudFront real-time
logs, it’s important to know that the fields in every real-time log record are always
delivered in the same order, as listed in the Fields section. Make sure that you build your
consumer to accommodate this fixed order.
Forexample, consider a real-time log configuration that includes only these three
fields: time - to - first - byte, sc - status, and
c - country. In this scenario , the last field ,c - country, is
always field number 3 in every log record . However , if you later add field to the
real – time log configuration , the placement is change of each field in a record can change .
Forexample, if you add the fields sc-bytes andtime-taken
to the real-time log configuration, these fields are inserted into each log record
according to the order shown in the Fields section. The resulting order of all five
fields is time - to - first - byte, sc - status,
sc-bytes, time-taken, andc - country. The
c - country field was originally field number 3, but is now field number
5. Make sure that your consumer application can handle fields that change position in a
log record, in case you add fields to your real-time log configuration.
troubleshoot real – time log
After you create a real – time log configuration , you is find might find that no record ( or not
all record ) are deliver to Kinesis Data Streams . In this case , you is verify should first verify that your
CloudFront distribution is receive viewer request . If it is , you is check can check the follow
setting to continue troubleshoot .
- IAM role permission
-
To deliver real-time log records to your Kinesis data stream, CloudFront uses
the IAM role in the real-time log configuration. Make sure that the role
trust policy andthe role permissions policy match the policies shown in
IAM role. - Kinesis Data Streams throttling
-
If CloudFront writes real-time log records to your Kinesis data stream faster
than the stream can handle, Kinesis Data Streams might throttle the requests from CloudFront. In
this case, you can increase the number of shards in your Kinesis data
stream. Each shard can support writes up to 1,000 records per second, up to
a maximum data write of 1 MB per second.