CloudFront supports two logging modes: v2 logging and legacy logging. Naturally, you’d expect to use the newer v2 logging—but if you’re provisioning CloudFront with CloudFormation, it’s easy to end up with the legacy setup by accident.
If you use the Logging
property
in your AWS::CloudFront::Distribution, CloudFormation will default to
legacy logging, writing directly to S3. There’s currently no way to
switch this to v2 via the Logging property in CloudFormation.
To enable v2 logging, you have to take a different approach:
- Remove the
Loggingblock from your distribution config. - Set up a log delivery pipeline using AWS Logs via a
DeliverySource,DeliveryDestination, andDelivery.
Here’s a minimal YAML snippet that configures CloudFront v2 logging:
CloudFrontAccessLogsBucket:
Type: AWS::S3::Bucket
Properties:
# Your bucket configuration here
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
# Your distribution configuration here
CloudFrontAccessLogsDeliverySource:
Type: AWS::Logs::DeliverySource
Properties:
LogType: ACCESS_LOGS
Name: cloudfront-log-delivery-source
ResourceArn: !Sub
- arn:aws:cloudfront::${AWS::AccountId}:distribution/${Distribution}
- Distribution: !GetAtt CloudFrontDistribution.Id
CloudFrontAccessLogsDeliveryDestination:
Type: AWS::Logs::DeliveryDestination
Properties:
DestinationResourceArn: !GetAtt CloudFrontAccessLogsBucket.Arn
Name: cloudfront-log-delivery-destination
OutputFormat: json
CloudFrontAccessLogsDelivery:
Type: AWS::Logs::Delivery
DependsOn: CloudFrontAccessLogsDeliverySource
Properties:
DeliveryDestinationArn: !GetAtt CloudFrontAccessLogsDeliveryDestination.Arn
DeliverySourceName: cloudfront-log-delivery-source
Hopefully this saves you the detour I took. CloudFormation doesn’t make v2 logging obvious, but this setup works.