Amazon CloudWatch enhances auto-enablement for CloudFront and three other resource types

Amazon CloudWatch has introduced a new feature that automatically enables logging for Amazon CloudFront Standard access logs, AWS Security Hub CSPM finding logs, and Amazon Bedrock AgentCore memory and gateway logs and traces to CloudWatch Logs. This enhancement allows customers to establish enablement rules that configure telemetry for both current and future resources, ensuring comprehensive monitoring without the need for manual intervention.

These enablement rules can be tailored to apply across an organization, specific accounts, or particular resources identified by resource tags, facilitating standardized telemetry data collection. For instance, a centralized security team can implement a rule that directs CloudFront access logs and Security Hub findings from all organizational resources to CloudWatch Logs automatically.

The auto-enablement feature is accessible in all AWS commercial regions, and the cost of log ingestion will adhere to the existing CloudWatch Pricing structure. While Amazon CloudFront access logs and AWS Security Hub CSPM findings support organization-wide enablement rules, the Bedrock AgentCore memory and gateway telemetry are only compatible with account-level enablement rules. For further information on setting up enablement rules in Amazon CloudWatch, users are encouraged to consult the Amazon CloudWatch documentation.