CloudFront access logs not appearing in S3 bucket after enabling logging for CDN distribution

ruth_func · September 12, 2025, 6:36pm

I enabled access logging on our CloudFront distribution three days ago but no log files are appearing in the designated S3 bucket. I’ve verified the bucket exists and specified the correct path in CloudFront logging configuration.

CloudFront distribution settings show logging enabled:


Logging: Enabled
Bucket: cdn-logs.s3.amazonaws.com
Prefix: cloudfront/production/

The S3 bucket is in us-east-1, same region as our CloudFront distribution origin. I can manually upload files to this bucket without issues, so permissions seem fine from my account perspective. However, after 72 hours, the cloudfront/production/ prefix remains empty.

We need these logs for traffic analysis and security monitoring. What could be preventing CloudFront from delivering access logs to S3?

brenda_solver · October 1, 2025, 11:46am

I don’t see any bucket policy configured currently - the bucket policy editor shows empty. Should I add something specific? The bucket doesn’t have encryption enabled.

georgewizard · September 20, 2025, 6:00am

CloudFront logging has specific requirements beyond basic S3 write permissions. The bucket policy must allow the CloudFront log delivery service principal - it’s different from your IAM user permissions. Also verify you’re not using SSE-KMS encryption on the bucket, as CloudFront can only write to buckets with SSE-S3 or no encryption. Check if your bucket has any restrictive policies that might block the AWS service account used for log delivery.

gregoryninja · October 12, 2025, 10:44pm

That’s definitely your problem - missing bucket policy. CloudFront can’t write logs without explicit permission granted to its service principal. You need to add a policy that allows the CloudFront log delivery account to put objects in your bucket.

edwardpro · October 29, 2025, 8:54pm

Your issue is a missing S3 bucket policy that grants CloudFront permission to deliver logs. This is the most common cause of missing CloudFront access logs and requires addressing all three configuration areas.

S3 Bucket Policy for Log Delivery: CloudFront uses a specific AWS service account to write logs. Your bucket needs a policy granting PutObject and PutObjectAcl permissions to this account. Add this policy to your cdn-logs bucket:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AllowCloudFrontLogDelivery",
    "Effect": "Allow",
    "Principal": {
      "Service": "cloudfront.amazonaws.com"
    },
    "Action": [
      "s3:PutObject",
      "s3:PutObjectAcl"
    ],
    "Resource": "arn:aws:s3:::cdn-logs/*",
    "Condition": {
      "StringEquals": {
        "aws:SourceAccount": "YOUR_ACCOUNT_ID"
      }
    }
  }]
}

CloudFront Logging Configuration: Your configuration format needs correction. In the CloudFront console or API, specify only the bucket name without the .s3.amazonaws.com suffix:


Bucket for Logs: cdn-logs
Log Prefix: cloudfront/production/
Cookie Logging: Off (or On if needed)

The console adds the S3 domain automatically. Using cdn-logs.s3.amazonaws.com in configuration can cause routing issues where CloudFront attempts to resolve this as a custom domain.

Cross-Account Permissions (if applicable): If your CloudFront distribution and S3 bucket are in different AWS accounts, you need additional configuration:

Bucket policy must reference the source account where CloudFront distribution exists
Bucket ACLs should allow log delivery from CloudFront service
Bucket ownership controls should allow ACL-based permissions

For same-account setup (your case), the bucket policy above is sufficient.

Additional Considerations:

Bucket cannot use SSE-KMS encryption (SSE-S3 or no encryption only)
Bucket must not have “Block all public access” preventing ACL-based permissions from AWS services
Log delivery typically begins within 1-2 hours after policy is applied, but can take up to 24 hours
Logs are delivered multiple times per hour in compressed .gz files

Verification Steps:

Apply the bucket policy with your actual account ID
Wait 2-4 hours for first log files to appear
Check CloudFront metrics to confirm distribution is receiving traffic
Verify bucket region matches CloudFront logging requirements (any region works, but us-east-1 is standard)

After applying this policy, logs should start appearing within a few hours. The combination of proper bucket policy permissions, corrected CloudFront configuration format, and appropriate cross-account settings (when needed) resolves all three focus areas preventing log delivery.

jessicaninja · September 15, 2025, 3:25pm

First thing to check - does your S3 bucket policy grant CloudFront log delivery permissions? CloudFront uses a specific AWS service principal that needs explicit write access. Without this, logs get dropped silently.

charlesbuilder · October 23, 2025, 1:41am

Beyond the bucket policy, double-check your CloudFront logging configuration format. The bucket name should be just the bucket name without .s3.amazonaws.com suffix in most configuration interfaces. Also, CloudFront logs can take up to several hours to appear initially, though 72 hours is definitely too long.

gregoryninja · October 25, 2025, 9:25am

If you’re doing cross-account logging (CloudFront distribution in one account, S3 bucket in another), the permissions get more complex. You need both bucket policy and potentially bucket ACLs configured correctly for the CloudFront service account.

Topic		Replies	Views
IoT Analytics data storage alerts delayed due to S3 bucket policy permissions AWS IoT question , pipeline , iam , s3 , alert-delay , awsiot-24 , data-storage , late-alerts , iot-analytics	3	0	January 4, 2025
S3 static website behind CloudFront not updating content after deployment Amazon Web Services (AWS) question , storage , cdn , aws-2019 , s3 , cache-invalidation , content-deliver , cloudfront , stale-content	4	0	February 14, 2025
CloudWatch logs not showing RDS metrics after enabling enhanced monitoring on AWS RDS instance Amazon Web Services (AWS) question , monitoring , database , iam , observability , aws-2019 , rds , cloudwatch , enhanced-monitoring	4	0	December 8, 2024
IAM policy blocks cross-account access to KMS-encrypted S3 bucket for data export jobs Amazon Web Services (AWS) question , security , devops-auto , iam , aws-2019 , json , s3 , access-denied , kms	5	1	September 12, 2025
VPC Flow Logs not capturing outbound traffic for subnet in observability setup IBM Cloud question , networking , observability , ic-2019 , iam-permissions , monitoring-gap , missing-logs , vpc-flow-logs , subnet-config	7	0	March 4, 2025
CloudWatch Logs backup retention gaps causing RPO violations during incident investigation Amazon Web Services (AWS) question , backup-dr , lambda , observability , aws-2021 , python , s3 , athena , cloudwatch-logs	4	0	July 29, 2025
Scheduled report exports to S3 fail with permission denied error after cloud migration in enterprise reporting Mode Analytics question , cloud-deploy , ma-2021 , json , enterprise-reporting , aws-s3 , permission-denied , reporting-disruption , iam-roles	5	0	October 16, 2025
Service case attachments fail to upload after switching to cloud storage provider Zendesk Sell question , rest-api , permissions , zs-2021 , cloud-storage , s3 , service-case-mgmt , cloud-deploy-hosting , attachments	5	0	June 20, 2025
Dataflow fails on scheduled dataset refresh due to cloud storage permissions Tableau CRM (Einstein Analytics) question , cloud-deploy , data-preparation , iam-roles , access-denied , dataset-refresh , tcrm-2021 , dataflow-scheduler , s3-bucket	3	0	April 7, 2025

CloudFront access logs not appearing in S3 bucket after enabling logging for CDN distribution

Related topics