Track configuration changes with Amazon Config - Amazon CloudFront
Set up Amazon Config with CloudFrontView CloudFront configuration historyEvaluate CloudFront configurations with Amazon Config Rules
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Track configuration changes with Amazon Config

To record and evaluate configurations of your Amazon resources, you can use Amazon Config, which provides you with a detailed view of the configuration of your distributions. This includes how the resources are related to one another and how they were configured in the past, so you can review changes over time.

You can also use Amazon Config to record configuration changes to your CloudFront distribution settings. You can capture changes to distribution states, price classes, origins, geographic restriction settings, and Lambda@Edge configurations.

Note

Amazon Config does not record key–value tags for CloudFront streaming distributions.

Set up Amazon Config with CloudFront

When you set up Amazon Config, you can choose to record all supported Amazon resources or record only some specified resources, such as recording changes for CloudFront only. For a list of supported CloudFront resources, see the Amazon CloudFront section of the Supported Resource Types topic in the Amazon Config Developer Guide.

Notes

  • To track configuration changes to your CloudFront distribution, you must sign in to the CloudFront console in the US East (N. Virginia) Amazon Web Services Region.

  • There might be a delay in recording resources with Amazon Config. Amazon Config records resources only after it discovers the resources.

Console
To set up Amazon Config with CloudFront

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Config console at https://console.amazonaws.cn/config/.

  2. Choose Get Started Now.

  3. On the Settings page, for Resource types to record, specify the Amazon resource types that you want Amazon Config to record. If you want to record only CloudFront changes, choose Specific types, and then, under CloudFront, choose the distribution or streaming distribution that you want to track changes for.

    To add or change which distributions to track, choose Settings on the left, after completing your initial setup.

  4. Specify additional required options for Amazon Config: set up a notification, specify a location for the configuration information, and add rules for evaluating resource types.

For more information, see Setting up Amazon Config with the Console in the Amazon Config Developer Guide.

Amazon CLI

To set up Amazon Config with CloudFront using the Amazon CLI, see Setting up Amazon Config with the Amazon CLI in the Amazon Config Developer Guide.

Amazon Config API

To set up Amazon Config with CloudFront using the Amazon Config API, see the StartConfigurationRecorder API operation in the Amazon Config API Reference.

View CloudFront configuration history

After Amazon Config starts recording configuration changes to your distributions, you can get the configuration history of any distribution that you have configured for CloudFront.

You can view configuration histories in the following ways.

Console

For each recorded resource, you can view a timeline page that provides a history of configuration details. To view this page, choose the gray icon in the Config Timeline column of the Dedicated Hosts page.

For more information, see Viewing Configuration Details in the Amazon Config Console in the Amazon Config Developer Guide.

Amazon CLI

To get a list of all your distributions, run the list-discovered-resources command, as shown in the following example.

aws configservice list-discovered-resources --resource-type AWS::CloudFront::Distribution

To get the configuration details of a distribution for a specific time interval, run the get-resource-config-history command.

For more information, see View Configuration Details Using the CLI in the Amazon Config Developer Guide.

Amazon Config API

To get a list of all your distributions, use the ListDiscoveredResources API operation.

To get the configuration details of a distribution for a specific time interval, use the GetResourceConfigHistory API operation. For more information, see the Amazon Config API Reference.

Evaluate CloudFront configurations with Amazon Config Rules

You can evaluate configurations against desired configurations with Amazon Config Rules. For example, Amazon Config Rules helps you to evaluate whether your CloudFront resources comply with common security best practices. You can choose managed rules like viewer policy HTTPS, SNI enabled, OAC enabled, origin failover enabled, Amazon WAF WebACL, or Amazon Shield Advanced resource policies to be triggered when the configuration changes.

Managed rules can run evaluations periodically, at a frequency that you choose. Amazon Firewall Manager relies on Amazon Config for automatic alerts and remediations. For more information, see Evaluating Resources with Amazon Config Rules and List of Amazon Config Managed Rules in the Amazon Config Developer Guide.