Amazon CloudWatch introduces automated logging for CloudFront and more

Amazon CloudWatch has announced the extension of its automatic enablement feature to include Amazon CloudFront Standard access logs, AWS Security Hub Cloud Security Posture Management (CSPM) finding logs, as well as Amazon Bedrock AgentCore memory and gateway logs and traces. This enhancement allows customers to establish enablement rules that automatically configure telemetry for both existing and newly created resources, facilitating consistent monitoring without the need for manual setup.

The enablement rules can be tailored to apply at the organizational level, to specific accounts, or to particular resources identified by resource tags, thereby standardizing telemetry collection across various scopes. For instance, a centralized security team can implement a single rule to automatically channel CloudFront access logs and Security Hub findings for all organizational resources into CloudWatch Logs.

This auto-enablement feature is accessible in all AWS commercial regions. It should be noted that log ingestion will incur charges based on the CloudWatch Pricing model. While Amazon CloudFront access logs and AWS Security Hub CSPM findings support enablement rules that span entire organizations, the Bedrock AgentCore memory and gateway telemetry feature supports enablement rules at the account level. For further details on enablement rules in Amazon CloudWatch, users are encouraged to consult the Amazon CloudWatch documentation.