• FAQ
  • Amazon CloudFront

Amazon CloudFront

Both Amazon CloudFront Download and Streaming distributions deliver content using the edge locations of the Amazon Web Services (AWS) content delivery network (CDN).

Log File Delivery Interval

Both services can be configured to write access logs to a selected bucket in S3. Access logs are delivered multiple times per hour depending on the traffic.

Logging Setup

Using Qloudstat Choose to Edit a configuration. On the edit page you can toggle access log delivery using Enable Logging button. Note that your changes are applied instantaneously.

Using Cyberduck Follow the instructions to enable bucket logging and choosing a target bucket for access logs on the Cyberduck Help Wiki. Cyberduck also provides a convenient feature to add an IAM user to your AWS account that Qloudstat can use to read your access logs.

Using the AWS Console

  • Enable Logging Log into the AWS Console and choose Edit in the Distribution Details for the distribution you want to enble access logs to be delivered. Set the target bucket and prefix for AWS to deliver log files to:

    • The logging target should be another S3 bucket than the origin. Otherwise your report will include requests for log files delivered by Amazon and download requests for log files.
    • Use a different logging target bucket for every S3 bucket and CloudFront distribution. Or at least choose a different logging target prefix. This will help Qloudstat to fetch your log files more efficiently.

Authentication for Qloudstat

You can find a fine grained IAM policy snippet preconfigured with your bucket names when editing your configuration.

  • Authentication for Qloudstat with IAM The access key and secret are preferrably the credentials of a dedicated IAM user created to give Qloudstat access to your account. Please use the AWS Console to create an IAM user with grants provided to access your log files.

    Follow these steps to create a new IAM user:

    • Choose Create New Users in the IAM Console.
    • Make sure the checkbox Generate an access key for each User is selected.
    • After creating the user, select Show User Security Credentials.
    • Copy the Access Key Id and Secret Access Key to paste here.
    • Select the newly created user in the list and choose the Permissions tab.
    • Select Attach User Policy.
    • Select Custom Policy and enter the following policy document:
      {
          "Statement": [
              {
                  "Action": [
                       "s3:ListAllMyBuckets",
                       "s3:GetBucketLogging",
                       "s3:GetBucketLocation"
                  ],
                  "Effect": "Allow",
                  "Resource": "arn:aws:s3:::*"
              },
              {
                  "Action": [
                      "s3:ListBucket"
                  ],
                  "Condition": {
                      "Bool": { "aws:SecureTransport": "true" },
                      "StringLike" : {"s3:prefix":["*"]}
                  },
                  "Effect": "Allow",
                  "Resource": "arn:aws:s3:::loggingtargetbucket"
              },
              {
                  "Action": [
                      "s3:GetObject"
                  ],
                  "Condition": {
                      "Bool": { "aws:SecureTransport": "true" }
                  },
                  "Effect": "Allow",
                  "Resource": "arn:aws:s3:::loggingtargetbucket/*"
              },
              {
                  "Action": [
                  "cloudfront:Get*",
                  "cloudfront:List*"
                  ],
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
    • Select Apply Policy.

    Replace loggingtargetbucket with the name of your logging target bucket.

    More information can be found in the AWS Reference.

Supported Dimensions & Metrics

Refer to the list of Dimensions and Metrics

Purge Log Files

You can find a fine grained IAM policy snippet preconfigured with your bucket names when editing your configuration.

Add the following statement to your existing IAM policy:

{
    "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::*"
    }
    ]
}