Native reporting and analytics
CloudFront provides you with native reporting in the AWS console, with reports covering cache statistics (e.g. status codes, result types), most popular objects, referrers, viewer reports (e.g. devices, browsers, locations) and usage reports (e.g. transferred bytes and number of requests). When used with AWS WAF, CloudFront also exposes in the AWS console a security dashboard.
AWS WAF provides you with native dashboards that leverage CloudWatch metrics such as total requests, blocked requests, allowed requests, bots vs non bot requests, bot categories, CAPTCHA solve rate, top 10 matched rules and more, on a per-Web ACL basis. These dashboards provide enhanced visibility and help with answering questions, such as “what percent of my WAF inspected traffic is getting blocked”, “what are the top originating countries for the traffic that’s getting blocked”, “what are common attacks that WAF detects and protects me from”, “how do my traffic and traffic patterns from this week compare with last week’s”.
Common custom analytics solutions based on CloudFront and WAF logs
Logs generated by CloudFront and WAF are required to build a custom analytics solution (i.e. personalized dashboards).
CloudFront offers two options for request logging:
- Standard logs, which are reliably shipped to S3 within minutes at no additional charge. It's configured at distribution level, generating log records for all requests.
- Real Time logs, which are delivered to Kinesis Data Stream within seconds with an additional charge of $0.01 for every 1 Million log records. It's configured at cache behaviors with possibility for sampling, and it provides more log fields. Real time logs are commonly used for building CDN analytics.
AWS WAF offers three options for request logging:
OpenSearch based dashboard
If you prefer using OpenSearch, with Kibana as a user interface for dashboarding, consider this Blog for steps to build a dashboard using CloudFront real time logs, and this blog to deploy a security dashboard for AWS WAF. Note that with OpenSearch, you can implement advanced anomaly detection based on your analytics. Learn from this blog how to use OpenSearch's anomaly detection based on WAF logs to identify abnormal behaviors, such as suspect traffic from unusual counties, and unexpected write requests for a read-heavy application.
TimeStream based dashboard
If you prefer using TimeStream, with Graphana as a user interface for dashboarding, follow the guidance provided in this analytics solution for CloudFront.
CloudWatch based dashboard
If you prefer using the CloudWatch ecosystem for monitoring and analytics (e.g. CloudWatch Logs Insights and CloudWatch Contributor Insights), consider this solution to delpoy a custom WAF dashboard in CloudWatch.
3rd party SIEM dashboards
3rd party SIEMs have integrations with AWS, and have built off the shelve dashboards for CloudFront and WAF. Examples include DataDog (WAF) , Sumologic ( WAF, CloudFront), and NewRelic (WAF, CloudFront).