Amazon CloudWatch expands auto-enablement to Amazon CloudFront logs and 3 additional resource types

Amazon CloudWatch Auto-Enablement for Logs

Amazon CloudWatch now supports automatic enablement of Amazon CloudFront Standard access logs, AWS Security Hub CSPM finding logs, and Amazon Bedrock AgentCore memory and gateway logs and traces to CloudWatch Logs. Customers can set up enablement rules that automatically configure telemetry for both existing and newly created resources, ensuring consistent monitoring coverage without manual setup.

Enablement rules can be scoped to the organization, specific accounts, or specific resources based on resource tags to standardize telemetry collection. For example, a central security team can create a single rule to automatically send CloudFront access logs and Security Hub findings for all resources across their organization to CloudWatch Logs.

What to do

• Create enablement rules for CloudFront access logs, Security Hub findings, and Bedrock AgentCore telemetry.
• Scope rules to organization, accounts, or specific resources.
• Monitor logs in CloudWatch Logs.

CloudWatch's auto-enablement capability is available in all AWS commercial regions. Log ingestion will be billed according to CloudWatch Pricing.

• CloudFront access logs: Organization-wide enablement rules
• Security Hub CSPM findings: Organization-wide enablement rules
• Bedrock AgentCore telemetry: Account-level enablement rules

To learn more about enablement rules in Amazon CloudWatch, visit the Amazon CloudWatch documentation.

If you need further guidance on AWS, our experts are available at AWS@westloop.io. You may also reach us by submitting the Contact Us form.