Analytics

Analytics give deep insights about the traffic patterns of web applications, and help uncover opportunities to add protections using WAF, tune delivery performance using CloudFront or improve application SEO by updating its code. Edge analytics are built using server-side logs generated by CloudFront and WAF. They can be built with different AWS services or 3rd party SIEM providers according to business requirements. Client-side analytics are collected on the client side using javascript tags, independently of the application infrastructure.

CloudFront provides you with native reporting in the AWS console, with reports covering cache statistics (e.g. status codes, result types), most popular objects, referrers, viewer reports (e.g. devices, browsers, locations) and usage reports (e.g. transferred bytes and number of requests). When used with AWS WAF, CloudFront also exposes in the AWS console a security dashboard.

AWS WAF provides you with native dashboards that leverage CloudWatch metrics such as total requests, blocked requests, allowed requests, bots vs non bot requests, bot categories, CAPTCHA solve rate, top 10 matched rules and more, on a per-Web ACL basis. These dashboards provide enhanced visibility and help with answering questions, such as “what percent of my WAF inspected traffic is getting blocked”, “what are the top originating countries for the traffic that’s getting blocked”, “what are common attacks that WAF detects and protects me from”, “how do my traffic and traffic patterns from this week compare with last week’s”.

CloudWatch RUM provides you with analytics from your application collected on the client side, by integrating a javascript tag to your web pages. The javascript collects data from browser APIs, such as performance data (e.g. page load times and Google Core Web Vitals), and user navigation data to give you insights about the engagement of users with your website. You can analyze your application performance by filtering on specific dimensions such as the browser type, user country, or a specific page id.

If you prefer using OpenSearch, with Kibana as a user interface for dashboarding, consider this Blog for steps to build a dashboard using CloudFront real time logs, and this blog to deploy a security dashboard for AWS WAF. Note that with OpenSearch, you can implement advanced anomaly detection based on your analytics. Learn from this blog how to use OpenSearch's anomaly detection based on WAF logs to identify abnormal behaviors, such as suspect traffic from unusual counties, and unexpected write requests for a read-heavy application.

If you prefer using TimeStream, with Graphana as a user interface for dashboarding, follow the guidance provided in this analytics solution for CloudFront.

If you prefer using the CloudWatch ecosystem for monitoring and analytics (e.g. CloudWatch Logs Insights and CloudWatch Contributor Insights), consider this solution to delpoy a custom WAF dashboard in CloudWatch.

3rd party SIEMs have integrations with AWS, and have built off the shelve dashboards for CloudFront and WAF. Examples include DataDog (WAF) , Sumologic ( WAF, CloudFront), and NewRelic (WAF, CloudFront).

• AWS re:Invent 2021 - Optimize applications through end user insights with Amazon CloudWatch RUM
• Using Amazon CloudWatch RUM with a React web application in five steps