Analytics give deep insights about the traffic patterns of web applications, and help uncover opportunities to add protections using WAF, tune delivery performance using CloudFront or improve application SEO by updating its code. Edge analytics are built using server-side logs generated by CloudFront and WAF. They can be built with different AWS services or 3rd party SIEM providers according to business requirements. Client-side analytics are collected on the client side using javascript tags, independently of the application infrastructure.

Native reporting and analytics

CloudFront provides you with native reporting in the AWS console, with reports covering cache statistics (e.g. status codes, result types), most popular objects, referrers, viewer reports (e.g. devices, browsers, locations) and usage reports (e.g. transferred bytes and number of requests). When used with AWS WAF, CloudFront also exposes in the AWS console a security dashboard.

AWS WAF provides you with native dashboards that leverage CloudWatch metrics such as total requests, blocked requests, allowed requests, bots vs non bot requests, bot categories, CAPTCHA solve rate, top 10 matched rules and more, on a per-Web ACL basis. These dashboards provide enhanced visibility and help with answering questions, such as “what percent of my WAF inspected traffic is getting blocked”, “what are the top originating countries for the traffic that’s getting blocked”, “what are common attacks that WAF detects and protects me from”, “how do my traffic and traffic patterns from this week compare with last week’s”.

Client-side analytics

CloudWatch RUM provides you with analytics from your application collected on the client side, by integrating a javascript tag to your web pages. The javascript collects data from browser APIs, such as performance data (e.g. page load times and Google Core Web Vitals), and user navigation data to give you insights about the engagement of users with your website. You can analyze your application performance by filtering on specific dimensions such as the browser type, user country, or a specific page id.

Common custom analytics solutions based on CloudFront and WAF logs

Logs generated by CloudFront and WAF are required to build a custom analytics solution (i.e. personalized dashboards).

CloudFront offers two options for request logging:

  • Standard logs, which are reliably shipped to S3 within minutes at no additional charge. It's configured at distribution level, generating log records for all requests.
  • Real Time logs, which are delivered to Kinesis Data Stream within seconds with an additional charge of $0.01 for every 1 Million log records. It's configured at cache behaviors with possibility for sampling, and it provides more log fields. Real time logs are commonly used for building CDN analytics.

AWS WAF offers three options for request logging:

OpenSearch based dashboard

If you prefer using OpenSearch, with Kibana as a user interface for dashboarding, consider this Blog for steps to build a dashboard using CloudFront real time logs, and this blog to deploy a security dashboard for AWS WAF. Note that with OpenSearch, you can implement advanced anomaly detection based on your analytics. Learn from this blog how to use OpenSearch's anomaly detection based on WAF logs to identify abnormal behaviors, such as suspect traffic from unusual counties, and unexpected write requests for a read-heavy application.

TimeStream based dashboard

If you prefer using TimeStream, with Graphana as a user interface for dashboarding, follow the guidance provided in this analytics solution for CloudFront.

CloudWatch based dashboard

If you prefer using the CloudWatch ecosystem for monitoring and analytics (e.g. CloudWatch Logs Insights and CloudWatch Contributor Insights), consider this solution to delpoy a custom WAF dashboard in CloudWatch.

3rd party SIEM dashboards

3rd party SIEMs have integrations with AWS, and have built off the shelve dashboards for CloudFront and WAF. Examples include DataDog (WAF) , Sumologic ( WAFCloudFront), and NewRelic (WAF, CloudFront).


Was this page helpful?