Enabled CloudFront Standard Logs, pointed to an S3 bucket. Set up the correct IAM policy and S3 bucket policy. Waited 30 minutes, checked S3 — no log files. Checked CloudFront console — logging shows "Enabled."
# Verify bucket policy allows CloudFront logging
aws s3api get-bucket-policy --bucket your-log-bucket
# Check if any objects exist at all
aws s3 ls s3://your-log-bucket/ --recursive
# Verify CloudFront distribution has logging configured
aws cloudfront get-distribution-config --id YOUR_DIST_ID | jq '.DistributionConfig.Logging'
All checks passed. Still no logs.
CloudFront Standard Logging does not generate log files on the AWS free tier.
This is not documented clearly in the free tier limits page. The logging *appears* to be configured correctly, but no log delivery occurs. AWS support confirmed this behavior.
Free tier CloudFront gives you:
If your domain is on Cloudflare, enable Web Analytics in the dashboard — it's free, privacy-friendly, and requires adding one script tag:
<!-- Cloudflare Web Analytics -->
<script defer src='https://static.cloudflareinsights.com/beacon.min.js'
data-cf-beacon='{"token": "your-token-here"}'></script>
Gives you: page views, unique visitors, referrers, country breakdown. No S3 setup required.
Logs direct S3 requests (not CloudFront CDN hits). Only useful if you care about direct S3 access, not visitor analytics.
aws s3api put-bucket-logging --bucket your-site-bucket --bucket-logging-status '{
"LoggingEnabled": {
"TargetBucket": "your-log-bucket",
"TargetPrefix": "s3-access/"
}
}'
Drop a 1x1 transparent GIF in your site, log every request server-side. Works but requires a server to process logs.
Use Cloudflare Web Analytics. It's zero-infrastructure, GDPR-compliant (no cookies), and provides the metrics most sites actually need. Save Standard Logs for when you're on a paid CloudFront tier and need raw access logs for compliance or security analysis.