How to specify how long AWS CloudFront Access Logs are kept?

Question

We are using AWS CDK (AWS Cloud Development Kit) to create our Cloudfront Distribution. We are creating the CloudFront Distribution with access logging enabled and specified the Amazon S3 bucket to store the access logs in.

How long are the access logs kept by default? How does one specify how long they are kept? I sense it has to do with managing the storage lifecycle for the logs.

A subset of docs I looked at (though I may have missed something):

• https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cloudfront-readme.html
• https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.DistributionProps.html
• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

See also https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-objects.html where it says “You can set up a lifecycle rule to automatically delete objects such as log files.”

        var staticContentCFDistribution = new cloudfront.Distribution(this, `IDSTRINGWASHERE`, {
            defaultBehavior: { 
                origin: new S3Origin(staticContentBucket),
                cachePolicy: CachePolicy.CACHING_OPTIMIZED,
                allowedMethods: AllowedMethods.ALLOW_GET_HEAD,
                cachedMethods: AllowedMethods.ALLOW_GET_HEAD,
                viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
                compress: true
            },
            domainNames: [ domainName ],
            comment: `CHANGEDTHISFORTHISPOST`,
            enableLogging: true,
            logBucket: logBucket,
            webAclId: webAclId,
<CLIP>

I have Googled many different things such as:

• cloudfront access logs lifecycle
• cloudfront access logs retention cdk

I keep running into CloudWatch docs and not CloudFront Access Log docs where I can specify how long to keep the access logs.

Answer 1

By default, the logs will be kept in S3 indefinitely or as you suggested, can be managed using lifecycle rules.

In the below example, you can create an S3 bucket and use this as part of your CloudFront distribution (or import an existing bucket) and then delete logs automatically after 30 days. You may want to move the files down the available S3 storage tiers before deleting but this is personal preference.

const logBucket = new s3.Bucket(this, `${id}-log-bucket`)

logBucket.addLifecycleRule({
  enabled: true,
  expiration: Duration.days(30),
  id: 'rule',
});

new cloudfront.Distribution(this, `${id}-cf-distribution`, {
  logBucket,
  …
  etc
})

Answer 2

The log's lifecycle are property of S3, not CloudFront. So if you store your access logs in s3, you setup their lifecycle in S3 as explained in Managing your storage lifecycle.

Similarly, there are retention rules for CloudWatch Logs.

In both cases, these settings are not related to cloudfront.Distribution. They are properties of S3 and CloudWatch.