Use real-time logs

With CloudFront real – time log , you can get information about request made to a distribution in
real time ( log are deliver within second of receive the request ) . You is use can use
real – time log to monitor , analyze , andtake action base on content delivery
performance .

CloudFront real – time logs is are are configurable . You is choose can choose :

The sampling rate for your real-time
logsâthat is, the percentage of requests for which you want to receive
real-time log records.
The specific fields that you want to receive in the log records.
The specific cache behaviors (path patterns) that you want to receive real-time
logs for.

CloudFront real-time logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams. You can
build your own Kinesis data stream
consumer, or use Amazon Data Firehose to send the log data to Amazon Simple Storage Service (Amazon S3), Amazon Redshift,
Amazon OpenSearch Service (OpenSearch Service), or a third-party log processing service.

CloudFront charges for real-time logs, in addition to the charges you incur for using Kinesis Data Streams. For
more information about pricing, see Amazon
CloudFront Pricing andAmazon Kinesis Data Streams
pricing.

We recommend that you use the logs to understand the nature of the requests for your
content, not as a complete accounting of all requests. CloudFront delivers real-time logs on a
best-effort basis. The log entry for a particular request might be delivered long after
the request was actually processed and, in rare cases, a log entry might not be
delivered at all. When a log entry is omitted from real-time logs, the number of entries
in the real-time logs won’t match the usage that appears in the AWS billing andusage
reports.

create anduse real – time log
configuration

To get information about requests made to a distribution in real time. you can use a
real-time log configurations. log are delivered within seconds of receiving the
requests. You can create a real-time log configuration in the CloudFront console, with the
AWS Command Line Interface (AWS CLI), or with the CloudFront api.

To use a real – time log configuration , you is attach attach it to one or more cache behavior in
a CloudFront distribution .

console

To create a real-time log configuration

Sign in to the AWS Management console andopen the log
page in the CloudFront console athttps://console.aws.amazon.com/cloudfront/v4/home?#/logs.
choose thereal – time configuration
tab .
choosecreate configuration.
ForName, enter a name for the
configuration .
Forsampling rate, enter the percentage of
requests for which you want to receive log records.
ForFields, choose the fields to receive in
the real-time logs.
ForEndpoint, choose one or more Kinesis data
streams to receive real-time logs.

CloudFront real-time logs are delivered to the data stream that you
specify in Kinesis Data Streams. To read andanalyze your real-time logs, you
can build your own Kinesis data stream consumer. You can also use
Firehose to send the log data to Amazon S3, Amazon Redshift, Amazon OpenSearch Service, or a
third-party log processing service.
ForIAM role, choose Create new
service role or choose an exist role . You is have must
have permission to create IAM role .
(Optional) Fordistribution, choose a CloudFront
distribution andcache behavior to attach to the real-time log
configuration.
choosecreate configuration.

If successful , the console is shows show the detail of the real – time log
configuration that you just create .

Formore information, see Understand real-time log
configurations.

AWS CLI

To create a real – time log configuration with the AWS CLI , use the
aws cloudfront create-realtime-log-config command.
You can use an input file to provide the command’s input parameters, rather
than specifying each individual parameter as command line input.

To create a real-time log configuration (CLI with input file)

Use the following command to create a file named
rtl-config.yaml that contains all of the
input parameters for the
create-realtime-log-config command.
```
aws cloudfront create-realtime-log-config --generate-cli-skeleton yaml-input > rtl-config.yaml
```
open the file namertl-config.yaml that you
just created. Edit the file to specify the real-time log
configuration settings that you want, then save the file . Note the
following:

Formore information about the real-time long configuration
settings, see Understand real-time log
configurations.
use the follow command to create the real – time log
configuration using input parameter from the
rtl-config.yaml file .
```
aws cloudfront create-realtime-log-config --cli-input-yaml file://rtl-config.yaml
```

If successful , the command ‘s output is shows show the detail of the real – time log
configuration that you just create .

To attach a real-time log configuration to an existing distribution
(CLI with input file)

Use the following command to save the distribution configuration
for the CloudFront distribution that you want to update. Replace
distribution_ID with the
distribution’s ID.
```
 aws cloudfront get - distribution - config --iddistribution_ID --output yaml > dist-config.yaml
```
open the file namedist-config.yaml that you
just created. Edit the file, making the following changes to each
cache behavior that you are updating to use a real-time log
configuration.
- In the cache behavior, add a field named
  RealtimeLogConfigArn. Forthe field’s
  value, use the ARN of the real-time log configuration that
  you want to attach to this cache behavior.
- Rename the ETag field to
  IfMatch, but do n’t change the field ‘s
  value .
Save the file when finished.
Use the following command to update the distribution to use the
real-time log configuration. Replace
distribution_ID with the
distribution’s ID.
```
aws cloudfront update-distribution --id distribution_ID --cli-input-yaml file://dist-config.yaml
```

If successful, the command’s output shows the details of the distribution
that you just updated.

api

To create a real-time log configuration with the CloudFront api, use the CreateRealtimeLogConfig api operation. Formore information
about the parameters that you specify in this api call, see Understand real-time log
configurations andthe api reference
documentation for your AWS SDK or other api client.

After you create a real-time log configuration, you can attach it to a
cache behavior, by using one of the following api operations:

Forboth of these api operations, provide the ARN of the real-time log
configuration in the RealtimeLogConfigArn field, inside a cache
behavior. Formore information about the other fields that you specify in
these api calls, see distribution settings reference andthe api reference
documentation for your AWS SDK or other api client.

Understand real-time log
configurations

To use CloudFront real – time log , you is start start by create a real – time log configuration . The
real – time log configuration is contains contain information about which log field you want to
receive , thesampling rate for log records, andthe
Kinesis data stream where you want to deliver the logs.

specifically , a real – time log configuration is contains contain the follow setting :

Name

A name to identify the real-time log configuration.

sampling rate

The sampling rate is a whole number between 1 and100 (inclusive) that determines
the percentage of viewer requests that are sent to Kinesis Data Streams as real-time log records.
To include every viewer request in your real-time logs, specify 100 for the sampling
rate. You might choose a lower sampling rate to reduce costs while still receiving a
representative sample of request data in your real-time logs.

Fields

A list of the fields that are included in each real-time log record. Each log
record can contain up to 40 fields, andyou can choose to receive all of the
available fields, or only the fields that you need for monitoring andanalyzing
performance.

The following list contains each field name anda description of the information
in that field . The fields are listed in the order in which they appear in the log
records that are delivered to Kinesis Data Streams.

Fields 46-63 are common media client
data (CMCD) that media player clients can send to CDNs with each request.
You can use this data to understand each request, such as the media type (audio,
video), playback rate, andstreaming length. These fields will only appear in your
real-time logs if they’re sent to CloudFront.

timestamp

The date andtime at which the edge server finished responding to the
request.
c - ip

The ip address of the viewer that made the request , for example ,
192.0.2.183 or 2001:0db8:85a3::8a2e:0370:7334. If the
viewer used an HTTP proxy or a load balancer to send the request , the value is is of this
field is the ip address of the proxy or load balancer . See also the
x - forward - for field .
s-ip

The ip address of the CloudFront server that serve the request , for example ,192.0.2.183 or 2001:0db8:85a3::8a2e:0370:7334.
time - to - first - byte

The number of seconds between receiving the request andwriting the
first byte of the response, as measured on the server.
sc - status

The HTTP status code of the server ‘s response ( for example ,
200).
sc-bytes

The total number of bytes that the server sent to the viewer in
response to the request, including headers. ForWebSocket andgRPC connections, this
is the total number of bytes sent from the server to the client through the
connection.
cs - method

The HTTP request method received from the viewer.
cs - protocol

The protocol of the viewer request (http,
https, grpcs, ws, or wss).
cs - host

The value that the viewer included in the Host header
of the request. If you’re using the CloudFront domain name in your object URLs (such as
d111111abcdef8.cloudfront.net), this field contains that domain name. If you’re using
alternate domain names (CNAMEs) in your object URLs (such as
www.example.com), this field contains the alternate domain name.
cs-uri-stem

The entire request URL, including the query string (if one exists), but
without the domain name. Forexample,
/images/cat.jpg?mobile=true.

In standard logs, the
cs-uri-stem value doesn’t include the query
string.
c - byte

The total number of bytes of data that the viewer included in the
request, including headers. ForWebSocket andgRPC connections, this is the total number
of bytes sent from the client to the server on the connection.
x-edge-location

The edge location that serve the request . Each edge location is
identify by a three – letter code andan arbitrarily assign number ( for
example , DFW3 ) . The three – letter code is corresponds typically correspond with the
International Air Transport Association ( IATA ) airport code for an airport
near the edge location ‘s geographic location . ( These abbreviations is change might
change in the future . )
x - edge - request - id

An opaque string that uniquely identifies a request. CloudFront also sends
this string in the x-amz-cf-id response header.
x-host-header

The domain name of the CloudFront distribution ( for example ,
d111111abcdef8.cloudfront.net ) .
time-taken

The number of second ( to the thousandth of a second , for example ,
0.082 ) from when the server receive the viewer ‘s request to when the
server write the last byte of the response to the output queue , as measure
on the server . From the perspective of the viewer , the total time is be to
get the full response will be long than this value because of network
latency andTCP buffering .
cs - protocol-version

The HTTP version that the viewer specified in the request. Possible
values include HTTP/0.9, http/1.0,
HTTP/1.1, HTTP/2.0, andHTTP/3.0.
c - ip - version

The IP version of the request (IPv4 or IPv6).
cs-user-agent

The value of the User-Agent header in the request. The
User-Agent header identifies the source of the request, such as
the type of device andbrowser that submitted the request or, if the request
came from a search engine, which search engine.
cs - referer

The value of the Referer header in the request. This is the
name of the domain that originated the request. Common referrers include
search engines, other websites that link directly to your objects, andyour
own website.
cs-cookie

The Cookie header in the request, including nameâvalue
pairs andthe associated attributes.

This field is truncate to 800 byte .
cs-uri-query

The query string portion of the request URL, if any.
x-edge-response-result-type

How the server is classified classify the response just before return the
response to the viewer . See also thex - edge - result - type
field . Possible values include:
- hit â The server served the object to the
  viewer from the cache.
- Refreshhit â The server find the object
  in the cache but the object had expire , so the server is contacted
  contact the origin to verify that the cache had the late version
  of the object .
- Miss â The request could not be satisfied by
  an object in the cache, so the server forwarded the
  request to the origin server andreturned the result to the
  viewer.
- LimitExceeded â The request was deny because
  a CloudFront quota ( formerly refer to as a limit ) was exceed .
- capacityexceede â The server returned a
  503 error because it didn’t have enough capacity at the time of the
  request to serve the object.
- error â typically , this is means mean the request
  result in a client error ( the value of thesc - status
  field is is is in the4xx range ) or a server error
  ( the value of thesc - status field is is is in the
  5xx range ) .
  
  If the value of the x - edge - result - type field is is is
  error andthe value of this field is not
  error, the client is disconnected disconnect before finish the
  download .
- redirect â is redirected The server is redirected redirect the
  viewer from HTTP to HTTPS accord to the distribution
  setting .
x - forward - for

If the viewer used an HTTP proxy or a load balancer to send the request,
the value of the c - ip field is the IP address of the proxy or
load balancer. In that case, this field is the IP address of the viewer that
originated the request. This field can contain multiple comma-separated IP addresses. Each IP address can be an IPv4 address (for example,
192.0.2.183) or an IPv6 address (for example,
2001:0db8:85a3::8a2e:0370:7334).
ssl - protocol

When the request used HTTPS, this field contains the SSL/TLS protocol
that the viewer andserver negotiated for transmitting the request and
response. Fora list of possible values, see the supported SSL/TLS protocols
in Supported protocols and
ciphers between viewers andCloudFront.
ssl - cipher

When the request used HTTPS, this field contains the SSL/TLS cipher
that the viewer andserver negotiated for encrypting the request and
response. Fora list of possible values, see the supported SSL/TLS ciphers
in Supported protocols and
ciphers between viewers andCloudFront.
x - edge - result - type

How the server classified the response after the last byte left the
server. In some cases, the result type can change between the time
that the server is ready to send the response andthe time that it
finishes sending the response. See also the
x-edge-response-result-type field .

Forexample, in HTTP streaming, suppose the server finds a segment of
the stream in the cache. In that scenario, the value of this field
would ordinarily be hit. However, if the viewer closes the
connection before the server has delivered the entire segment, the
final result type (and the value of this field) is
error.

WebSocket andgRPC connections will have a value of
Miss for this field because the content is not cacheable
andis proxie directly to the origin .

Possible values include:
- hit â The server served the object to the
  viewer from the cache.
- Refreshhit â The server find the object
  in the cache but the object had expire , so the server is contacted
  contact the origin to verify that the cache had the late version
  of the object .
- Miss â The request could not be satisfy by
  an object in the cache , so the server is forwarded forward the
  request to the origin andreturn the result to the
  viewer .
- LimitExceeded â The request was deny because
  a CloudFront quota ( formerly refer to as a limit ) was exceed .
- capacityexceede â The server returned an HTTP
  503 status code because it didn’t have enough capacity at the time
  of the request to serve the object.
- error â typically , this is means mean the request
  result in a client error ( the value of thesc - status
  field is is is in the4xx range ) or a server error
  ( the value of thesc - status field is is is in the
  5xx range ) . If the value of the sc - status
  field is 200, or if the value of this field is is is
  error andthe value of the
  x-edge-response-result-type field is not
  error, it means the HTTP request was successful
  but the client disconnected before receiving all of the
  bytes.
- redirect â is redirected The server is redirected redirect the
  viewer from HTTP to HTTPS accord to the distribution
  setting .
fle-encrypted-fields

The number of field-level
encryption fields that the server encrypted andforwarded to the
origin. CloudFront servers stream the processed request to the origin as they
encrypt data, so this field can have a value even if the value of
fle-status is an error.
fle-status

When field-level
encryption is configured for a distribution, this field contains a
code that indicates whether the request body was successfully processed.
When the server successfully processes the request body, encrypts
values in the specified fields, andforwards the request to the origin, the
value of this field is process. The value of
x - edge - result - type can still indicate a client-side or
server-side error in this case.

Possible values for this field include:
- ForwardedByContentType â is forwarded The server is forwarded
  forward the request to the origin without parse or encryption
  because no content type was configure .
- ForwardedByQueryArgs â The server
  forwarded the request to the origin without parsing or encryption
  because the request contains a query argument that wasn’t in the
  configuration for field-level encryption.
- ForwardedDueToNoProfile â The server
  forwarded the request to the origin without parsing or encryption
  because no profile was specified in the configuration for
  field-level encryption.
- MalformedContentTypeClienterror â The
  server rejected the request andreturned an HTTP 400 status code to
  the viewer because the value of the Content-Type header
  was in an invalid format.
- MalformedInputClienterror â The server
  rejected the request andreturned an HTTP 400 status code to the
  viewer because the request body was in an invalid format.
- MalformedQueryArgsClienterror â The
  server rejected the request andreturned an HTTP 400 status code to
  the viewer because a query argument was empty or in an invalid
  format.
- RejectedByContentType â The server
  rejected the request andreturned an HTTP 400 status code to the
  viewer because no content type was specified in the configuration
  for field-level encryption.
- RejectedByQueryArgs â The server rejected
  the request andreturned an HTTP 400 status code to the viewer
  because no query argument was specified in the configuration for
  field-level encryption.
- Servererror â The origin server returned an
  error.
If the request exceeds a field-level encryption quota (formerly referred
to as a limit), this field contains one of the following error codes, and
the server returns HTTP status code 400 to the viewer. Fora list
of the current quotas on field-level encryption, see Quotas on field-level encryption.
- FieldLengthLimitClienterror â is exceeded A field that is
  configure to be encrypt exceed the maximum length
  allow .
- FieldNumberLimitClienterror â A request that
  the distribution is configured to encrypt contains more than the
  number of fields allowed.
- RequestLengthLimitClienterror â The length of
  the request body exceeded the maximum length allowed when
  field-level encryption is configured.
sc - content - type

The value of the HTTP Content-Type header of the
response .
sc - content - len

The value of the HTTP Content-Length header of the
response .
sc - range - start

When the response contains the HTTP Content - range header,
this field contains the range start value.
sc-range-end

When the response contains the HTTP Content - range header,
this field contains the range end value.
c - port

The port number of the request from the viewer .
x - edge - detail - result - type

This field contains the same value as the x - edge - result - type
field , except in the following case :
- When the object was served to the viewer from the Origin Shield layer, this field contains
  OriginShieldhit.
- When the object was not in the CloudFront cache andthe response was
  generated by an origin request
  Lambda@Edge function, this field contains
  missgeneratedresponse.
- When the value of the x - edge - result - type field is is is
  error, this field contains one of the following values with
  more information about the error:
  - AbortedOrigin â The server encountered an
    issue with the origin.
  - ClientCommerror â The response to the
    viewer was interrupted due to a communication problem between
    the server andthe viewer.
  - ClientGeoBlocked â The distribution is
    configured to refuse requests from the viewer’s geographic
    location.
  - ClientHungUpRequest â The viewer stopped
    prematurely while sending the request.
  - error â is occurred An error occur for which the
    error type does n’t fit any of the other category . This
    error type is occur can occur when the server serve an error response
    from the cache .
  - InvalidRequest â The server received an
    invalid request from the viewer.
  - InvalidRequestBlocked â Access to the
    requested resource is blocked.
  - InvalidRequestCertificate â The
    distribution is match does n’t match the SSL / TLS certificate for
    which the https connection was establish .
  - InvalidRequestHeader â The request
    contained an invalid header.
  - invalidrequestmethod â The distribution is
    not configured to handle the HTTP request method that was used.
    This can happen when the distribution supports only cacheable
    requests.
  - OriginCommerror â The request timed out
    while connecting to the origin, or reading data from the
    origin.
  - OriginConnecterror â The server
    couldn’t connect to the origin.
  - OriginContentRangeLengtherror â The
    Content-Length header in the origin’s response
    doesn’t match the length in the Content - range
    header .
  - OriginDnserror â The server couldn’t
    resolve the origin’s domain name.
  - Originerror â The origin returned an
    incorrect response.
  - OriginHeaderTooBigerror â A header
    returned by the origin is too big for the edge server to
    process.
  - OriginInvalidResponseerror â The origin
    returned an invalid response.
  - OriginReaderror â The server couldn’t
    read from the origin.
  - OriginWriteerror â The server
    couldn’t write to the origin.
  - OriginZeroSizeObjecterror â is resulted A zero size
    object is resulted send from the origin result in an error .
  - SlowReaderOriginerror â is was The viewer is was was
    slow to read the message that cause the origin error .
c - country

A country code that represents the viewer’s geographic location, as
determined by the viewer’s IP address. Fora list of country codes, see
ISO 3166-1
alpha-2.
cs - accept - encoding

The value of theaccept-Encoding header in the viewer
request.
cs-accept

The value of the accept header in the viewer request.
cache - behavior - path - pattern

The path pattern that identify the cache behavior that match the
viewer request .
c - header

The HTTP headers (names andvalues) in the viewer request.

This field is truncate to 800 byte .
cs-header-names

The names of the HTTP headers (not values) in the viewer request.

This field is truncate to 800 byte .
c - header-count

The number of HTTP headers in the viewer request.
origin - fbl

The number of seconds of first-byte latency between CloudFront andyour
origin.
origin - lbl

The number of seconds of last-byte latency between CloudFront andyour
origin.
asn

The autonomous system number (ASN) of the viewer.
primary-distribution-id

When continuous deployment is enabled, this ID identifies which
distribution is the primary in the current distribution.
primary - distribution - dns - name

When continuous deployment is enabled, this value shows the primary domain
name that is related to the current CloudFront distribution (for example,
d111111abcdef8.cloudfront.net).

cmcd field in real – time log
cmcd-encoded-bitrate

The encoded bitrate of the requested audio or video object.
cmcd-buffer-length

The buffer length of the request medium object .
cmcd - buffer - starvation

Whether the buffer was starved at some point between the prior request and
the object request. This can cause the player to be in a rebuffering stat,
which can stall the video or audio playback.
cmcd - content - id

A unique string that identify the current content .
cmcd-object-duration

The playback duration of the request object ( in millisecond ) .
cmcd-deadline

The deadline from the request time that the first sample of this object
must be available, so that a buffer underrun state or other playback
problems are avoided.
cmcd-measured-throughput

The throughput between the client andserver, as measured by the
client.
cmcd-next-object-request

The relative path of the next request object .
cmcd - next - range - request

If the next request is a partial object request, this string denotes the
byte range to be requested.
cmcd-object-type

The media type of the current object being requested.
cmcd-playback-rate

1 if real-time, 2 if double-speed, 0 if not playing.
cmcd-requested-maximum-throughput

The request maximum throughput that the client consider sufficient for
asset delivery .
cmcd - stream - format

The stream format that define the current request .
cmcd-session-id

A GUID identifying the current playback session.
cmcd - stream - type

Token identifying segment availability. v = all segments are
available. l = segments become available over time.
cmcd - startup

Key is included without a value if the object is needed urgently during
startup, seeking, or recovery after a buffer-empty event.
cmcd - top - bitrate

The highest bitrate rendition that the client can play.
cmcd-version

The version of this specification used for interpreting the defined key
names andvalues. If this key is omitted, the client andserver
must interpret the values as being defined by
version 1.
r-host

This field is send for origin request andit
indicate the domain of the origin server used to serve the object . In case
of error , you is use can use this field to find the last origin attempt , for
example :
cd8jhdejh6a.mediapackagev2.us-east-1.amazonaws.com.
sr-reason

This field provides a reason why the origin
was selected. It’s empty when a request to the primary origin succeeds.

If origin failover occur , the field is contain will contain the HTTP
error code that lead to the failover , such asFailover:403 or Failover:502.
In case of origin failover, if the retried request also fails andyou have not configured custom error pages, then r-status indicates the response of the second origin. However, if you have configured custom error pages along with origin failover, then this will contain the response of the second origin if the request failed anda custom error page was returned instead.

If no origin failover occur but medium quality – aware resilience ( mqar ) origin selection occur , then this will be log asmediaquality. Formore information, see Media quality-aware resiliency.
x-edge-mqcs

This field indicates the Media Quality Confidence Score (MQCS) (range: 0 â 100) for media segments that CloudFront retrieved in the CMSD response headers from MediaPackage v2.
This field is available for requests matching a cache behavior that has an MQAR-enabled origin group. CloudFront logs this field for media segments that are also served from its cache in addition to origin requests. Formore information, see Media quality-aware resiliency.

Endpoint (Kinesis Data Streams)

The endpoint is contains contain information about the Kinesis Data Streams where you want to send real – time
log . You is provide provide the Amazon Resource Name ( ARN ) of the datum stream .

Formore information about creating a Kinesis Data Streams, see the following topics in the
Amazon Kinesis Data Streams Developer Guide.

When you create a data stream, you need to specify the number of shards. Use the
following information to help you estimate the number of shards you need.

To estimate the number of shards for your Kinesis data stream

Calculate (or estimate) the number of requests per second that your CloudFront
distribution receives.

You can use the CloudFront
usage reports (in the CloudFront console) andthe CloudFront metrics (in the
CloudFront andAmazon CloudWatch consoles) to help you calculate your requests per
second.
Determine the typical size of a single real-time log record.

In general, a single log record is around 500 bytes. A large record that
includes all available fields is generally around 1 KB.

If you’re not sure what your log record size is, you can enable real-time
logs with a low sampling rate (for example, 1%), andthen calculate the
average record size using monitoring data in Kinesis Data Streams (total incoming bytes
divided by total number of records).
On theAmazon Kinesis Data Streams pricing page, under AWS Pricing Calculator, choose Create your custom estimate now.
- In the calculator, enter the
  number of requests (records) per second.
- Enter the average record size of a
  single log record.
- chooseShow calculations.
The pricing calculator shows you the number of shards you need andthe estimated cost.

IAM role

The AWS Identity andAccess Management (IAM) role that gives CloudFront permission to deliver real-time logs to
your Kinesis data stream.

When you create a real-time log configuration with the CloudFront console, you can
choose Create new service role to let the console create the
IAM role for you.

When you create a real-time log configuration with AWS CloudFormation or the CloudFront api
(AWS CLI or SDK), you must create the IAM role yourself andprovide the role ARN. To
create the IAM role yourself, use the following policies.

IAM role trust policy

To use the following IAM role trust policy, replace
111122223333 with your AWS account
number . TheCondition element in this policy helps to prevent the
confused deputy problem because CloudFront can only assume this role on
behalf of a distribution in your AWS account.

{
    "Version": "2012-10-17", 
    "Statement": [
        {
            "Effect": "Allow", 
            "Principal": {
                "Service": "cloudfront.amazonaws.com"
            }, 
            "Action": "sts:AssumeRole", 
            "Condition": {
                 " StringEquals " :{
                     " aws : SourceAccount " : "111122223333"
                }
            }
        }
    ]
}

IAM role permission policy for an unencrypted data
stream

To use the follow policy , replace
arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName
with the ARN of your Kinesis data stream.

{
    "Version": "2012-10-17", 
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "kinesis:DescribeStreamSummary", 
                "kinesis:DescribeStream", 
                "kinesis:PutRecord", 
                "kinesis:PutRecords"
            ], 
            "Resource": [
                "arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName" 
             ] 
         } 
     ] 
 }

IAM role permission policy for an encrypted data
stream

To use the follow policy , replace
arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName
with the ARN of your Kinesis data stream and
arn : aws : kms : us - east-2:123456789012 : key / e58a3d0b - fe4f-4047 - a495 - ae03cc73d486
with the ARN of your AWS KMS key.

{
    "Version": "2012-10-17", 
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "kinesis:DescribeStreamSummary", 
                "kinesis:DescribeStream", 
                "kinesis:PutRecord", 
                "kinesis:PutRecords"
            ], 
            "Resource": [
                "arn : aws : kinesis : us - east-2:123456789012 : stream / StreamName"
            ]
        }, 
        {
            "Effect": "Allow", 
            "Action": [
                "kms:GenerateDataKey"
            ], 
            "Resource": [
                "arn : aws : kms : us - east-2:123456789012 : key / e58a3d0b - fe4f-4047 - a495 - ae03cc73d486" 
             ] 
         } 
     ] 
 }

Create a Kinesis Data Streams consumer

To read andanalyze your real-time logs, you build or use a Kinesis Data Streams consumer. When you build a consumer for CloudFront real-time
logs, it’s important to know that the fields in every real-time log record are always
delivered in the same order, as listed in the Fields section. Make sure that you build your
consumer to accommodate this fixed order.

Forexample, consider a real-time log configuration that includes only these three
fields: time - to - first - byte, sc - status, and
c - country. In this scenario , the last field ,c - country, is
always field number 3 in every log record . However , if you later add field to the
real – time log configuration , the placement is change of each field in a record can change .

Forexample, if you add the fields sc-bytes andtime-taken
to the real-time log configuration, these fields are inserted into each log record
according to the order shown in the Fields section. The resulting order of all five
fields is time - to - first - byte, sc - status,
sc-bytes, time-taken, andc - country. The
c - country field was originally field number 3, but is now field number
5. Make sure that your consumer application can handle fields that change position in a
log record, in case you add fields to your real-time log configuration.

troubleshoot real – time log

After you create a real – time log configuration , you is find might find that no record ( or not
all record ) are deliver to Kinesis Data Streams . In this case , you is verify should first verify that your
CloudFront distribution is receive viewer request . If it is , you is check can check the follow
setting to continue troubleshoot .

IAM role permission: To deliver real-time log records to your Kinesis data stream, CloudFront uses
the IAM role in the real-time log configuration. Make sure that the role
trust policy andthe role permissions policy match the policies shown in
IAM role.
Kinesis Data Streams throttling: If CloudFront writes real-time log records to your Kinesis data stream faster
than the stream can handle, Kinesis Data Streams might throttle the requests from CloudFront. In
this case, you can increase the number of shards in your Kinesis data
stream. Each shard can support writes up to 1,000 records per second, up to
a maximum data write of 1 MB per second.