AWS CloudFront Identity Access to S3 Bucket - API Call Monitoring

Check if Amazon CloudFront identity is accessing S3 bucket hosting static website

Question

An administrator would like to check if the Amazon CloudFront identity is making access API calls to an S3 bucket where a static website is hosted.

Where can this information be obtained?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

By viewing Event history in Amazon CloudTrail, the administrator can be able to access operational, access and activity logs for the past 90 days, to the S3 bucket that hosts the static website.

https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html

Option A is INCORRECT because Amazon Athena will need a specific data repository from which a database and table can be created in order to run queries.

Data repositories can be a folder in an S3 bucket where logs are written to.

Option B is INCORRECT because AWS CloudWatch does not log access API calls from one resource to another.

AWS CloudTrail can do this.

Option C is INCORRECT because it is not possible to access the underlying web server for CloudFront.

It is fully managed by AWS.

To check if the Amazon CloudFront identity is making access API calls to an S3 bucket hosting a static website, an administrator can look up this information in the AWS CloudTrail event history. Therefore, option D is the correct answer.

AWS CloudTrail is a service that records all API calls made within an AWS account, including the identity of the caller, the time of the call, the API name, and the response generated by the API. This information can be used to monitor and troubleshoot an AWS account's usage and can be used for compliance and auditing purposes.

To look up the access calls made by the Amazon CloudFront identity, an administrator can navigate to the AWS CloudTrail Event history in the AWS Management Console. Once there, they can filter the results based on the Amazon CloudFront identity and the S3 bucket in question.

Alternatively, an administrator could configure Amazon Athena to run queries on the Amazon CloudFront distribution (option A). Athena is a serverless, interactive query service that makes it easy to analyze data in Amazon S3 using SQL. By creating a table that references the CloudFront distribution logs stored in an S3 bucket, an administrator could query the logs to obtain the information they need.

Option B, checking AWS CloudWatch logs on the S3 bucket, is incorrect because CloudWatch is used for monitoring and logging services within AWS. While it's possible to configure CloudWatch to capture and store logs for an S3 bucket, these logs won't contain information about API calls made by the Amazon CloudFront identity.

Option C, tailing the identity access logs from the Amazon CloudFront identity on the webserver, is also incorrect because CloudFront is a managed service that doesn't require the use of a web server. Additionally, tailing logs manually can be time-consuming and error-prone, especially for larger environments.