What is AWS CloudFront Traffic Anomaly Monitoring?

AWS CloudFront Traffic Anomaly Monitoring is a feature that allows you to track sudden changes in your CloudFront distribution’s traffic patterns. It analyzes the number of requests to your CloudFront-served content and alerts you when there are significant increases or decreases in traffic volume.

Why Monitor Traffic Anomalies?

Monitoring traffic anomalies can help you:

  • Detect and respond to potential DDoS attacks
  • Identify sudden spikes in legitimate traffic (e.g., from a successful marketing campaign)
  • Spot unexpected drops in traffic that might indicate technical issues

How do I set up AWS CloudFront Traffic Anomaly Monitoring?

Add the AWS CloudFront resource to your Alerty inventory, and Alerty will begin monitoring it automatically! When Alerty detects a significant change in your traffic patterns, it will send you an alert.

Setting up AWS CloudFront Traffic Anomaly Monitoring

To monitor AWS CloudFront traffic anomalies, you’ll need to provide some information:

  1. IAM Role: You’ll need to create an IAM role with the appropriate permissions.
  2. Distribution ID: You’ll need to provide your CloudFront Distribution ID.

Creating an IAM User with Read-Only Permissions

We recommend creating an IAM user with read-only permissions for CloudFront and CloudWatch. Here’s how to do it:

  1. Sign in to the AWS Management Console and open the IAM console.
  2. In the navigation pane, choose “Users”, then “Add user”.
  3. Set a user name (e.g., “AlertyCloudFrontMonitoring”).
  4. Under “Select AWS credential type”, choose “Access key - Programmatic access”.
  5. Click “Next: Permissions”.
  6. Click “Attach existing policies directly”.
  7. Search for and select the following policies:
    • “CloudFrontReadOnlyAccess"
    • "CloudWatchReadOnlyAccess”
  8. Click “Next: Tags” (add tags if desired), then “Next: Review”.
  9. Review the user details and click “Create user”.
  10. On the success page, you’ll see the Access key ID and Secret access key.

Finding Your Distribution ID

  1. Sign in to the AWS Management Console and open the CloudFront console.
  2. In the list of distributions, find the ID column for the distribution you want to monitor.
  3. Copy this ID and paste it into Alerty when prompted.

How It Works

Once set up, Alerty will continuously monitor your CloudFront traffic data using CloudWatch metrics. It uses advanced algorithms to detect:

  1. Rapid increases in traffic, which could indicate a traffic spike or potential DDoS attack.
  2. Sudden decreases in traffic, which might suggest technical issues or content problems.

When an anomaly is detected, Alerty will send you an alert with details about the traffic change, allowing you to investigate and respond promptly.

Fine-Grained Access (Advanced)

While we recommend using the simple read-only permissions setup for most users, AWS does offer options for more granular control over IAM permissions. This is useful for users who need to restrict access to specific resources or adhere to strict security policies.

To create a fine-grained access IAM user:

  1. Follow steps 1-6 from the broad permissions setup.
  2. Instead of attaching existing policies, choose “Create policy”.
  3. In the visual editor, add the following permissions:
    • Service: CloudFront
      • Actions: All Read actions
      • Resources: Specific (add your Distribution ARN)
    • Service: CloudWatch
      • Actions:
        • List: ListMetrics
        • Read: GetMetricData, GetMetricStatistics
      • Resources: All resources
  4. Complete the user creation process and generate CLI credentials as described earlier.

This approach allows you to create a user with the minimum necessary permissions, enhancing security by limiting the scope of what the user can access. However, it requires more setup and you’ll need to ensure you’ve included all the distributions you want to monitor.

Remember, if you use a fine-grained access user, you’ll need to make sure it has access to all the distributions you want to monitor in Alerty. If you add new distributions later, you may need to update your IAM user permissions.

For most users, the broad read-only permissions setup will be simpler to set up and maintain, especially if you’re monitoring multiple distributions or frequently add new ones.