AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-11-25 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/logging.md

Summary

Updated logging documentation with terminology changes (standard->access logs), restructured content, and added new 'Connection logs' section for mTLS-enabled distributions

Security assessment

The addition of 'Connection logs' specifically documents logging for mTLS authentication, including client certificate information and authentication failure reasons. This provides security observability for mutual TLS implementations, which is a security feature. The note about requiring mTLS enablement and use cases like security audits demonstrate security relevance.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/logging.md b/AmazonCloudFront/latest/DeveloperGuide/logging.md
index b6ed604e9..c1df70e19 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/logging.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/logging.md
@@ -15 +15 @@ CloudFront provides the following ways to log the requests that come to your dis
-**Standard logs (access logs)**
+**Access logs (standard logs)**
@@ -18 +18 @@ CloudFront provides the following ways to log the requests that come to your dis
-CloudFront standard logs provide detailed records about every request that's made to a distribution. You can use the logs for scenarios, such as security and access audits.
+CloudFront access logs provide detailed records about every request that's made to a distribution. You can use the logs for scenarios, such as security and access audits. 
@@ -20 +20 @@ CloudFront standard logs provide detailed records about every request that's mad
-CloudFront standard logs are delivered to the delivery destination that you specify. 
+CloudFront access logs are delivered to the delivery destination that you specify. 
@@ -22 +22 @@ CloudFront standard logs are delivered to the delivery destination that you spec
-For more information, see [Standard logging (access logs)](./AccessLogs.html).
+Use access logs when you need:
@@ -24 +24 @@ For more information, see [Standard logging (access logs)](./AccessLogs.html).
-**Real-time logs**
+  * Historical analysis and reporting
@@ -25,0 +26 @@ For more information, see [Standard logging (access logs)](./AccessLogs.html).
+  * Security audits and compliance requirements
@@ -27 +28 @@ For more information, see [Standard logging (access logs)](./AccessLogs.html).
-CloudFront real-time logs provide information about requests made to a distribution, in real time (log records are delivered within seconds of receiving the requests). You can choose the _sampling rate_ for your real-time logs—that is, the percentage of requests for which you want to receive real-time log records. You can also choose the specific fields that you want to receive in the log records.
+  * Cost-effective long-term log retention
@@ -29 +29,0 @@ CloudFront real-time logs provide information about requests made to a distribut
-CloudFront real-time logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams. CloudFront charges for real-time logs, in addition to the charges you incur for using Kinesis Data Streams.
@@ -31 +31,43 @@ CloudFront real-time logs are delivered to the data stream of your choice in Ama
-For more information, see [Use real-time logs](./real-time-logs.html).
+
+
+For more information, see [Access logs (standard logs)](./AccessLogs.html).
+
+**Real-time access logs**
+    
+
+CloudFront real-time access logs are delivered within seconds of receiving the requests and provide information about requests made to a distribution in real time. You can choose the _sampling rate_ for your real-time access logs—that is, the percentage of requests for which you want to receive real-time access log records. You can also choose the specific fields that you want to receive in the log records. Real-time access logs are ideal for live monitoring for content delivery performance.
+
+CloudFront real-time access logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams. CloudFront charges for real-time access logs, in addition to the charges you incur for using Kinesis Data Streams.
+
+Use real-time access logs when you need:
+
+  * Real-time monitoring and alerts
+
+  * Live dashboards and operational insights
+
+
+
+
+For more information, see [Use real-time access logs](./real-time-logs.html).
+
+**Connection logs**
+    
+
+Connection logs provide detailed information about the connection between the server and the client for mTLS enabled distributions. Connection logs provide visibility into client certificate information, reasons for mTLS authentication failures and whether a connection was permitted or refused.
+
+Like access logs (standard logs), connection logs are delivered to the delivery destination that you specify. 
+
+###### Note
+
+To enable connection logs, you must first [enable mTLS ](./mtls-authentication.html) for your distribution. 
+
+Use connection logs when you need:
+
+  * Reasons for successful or unsuccessful connections during the TLS handshake 
+
+  * Visibility into the client certificate information
+
+
+
+
+For more information, see [Observability using connection logs](./connection-logs.html).
@@ -47 +89 @@ For more information about logging, see the following topics:
-  * [Standard logging (access logs)](./AccessLogs.html)
+  * [Access logs (standard logs)](./AccessLogs.html)
@@ -49 +91 @@ For more information about logging, see the following topics:
-  * [Use real-time logs](./real-time-logs.html)
+  * [Use real-time access logs](./real-time-logs.html)
@@ -66 +108 @@ CloudFront metrics
-Standard logging (access logs)
+Access logs (standard logs)