9.1 Objective

Add visibility into site traffic and errors, taking advantage of CloudFront now being in front of the site (a bare S3 website endpoint has no built-in logging). Two complementary layers were set up: raw access logs for detailed after-the-fact review, and real-time metrics/alerting for immediate awareness of problems.

9.2 Standard Logging (CloudFront → S3)

Note: this required navigating to the distribution’s Logging tab, under Access log destinations - not General → Edit as in older documentation, reflecting a recent CloudFront console update.

Note: A separate ‘Attached real-time access logs’ feature also exists on this tab (Kinesis-based, near-instant delivery) but was intentionally left disabled - it requires its own Kinesis stream and additional cost, and isn’t necessary for a project at this scale.

9.3 CloudWatch Metrics (automatic, no setup required)

Confirmed CloudFront automatically reports six metrics per distribution to CloudWatch with zero configuration: Requests, 4xxErrorRate, 5xxErrorRate, TotalErrorRate, BytesDownloaded, BytesUploaded.

9.4 CloudWatch Alarm

This ties directly into the Day 15-17 rollback strategy - a bad deploy that causes server errors now triggers an email alert rather than going unnoticed.

9.5 Screenshots

Add access $true$ destination $true$

Get logs of viewer requests to CloudWatch, Amazon S3 or Firehose. Additional charges may apply. See Info for more details.