Amazon CloudWatch introduces auto-enablement for CloudFront logs and more

Amazon CloudWatch has expanded its functionality to include automatic enablement for Amazon CloudFront Standard access logs, AWS Security Hub CSPM finding logs, and Amazon Bedrock AgentCore memory and gateway logs and traces. This new feature allows customers to establish enablement rules that automatically configure telemetry for both existing and newly created resources, ensuring seamless and consistent monitoring without the need for manual setup.

These enablement rules can be tailored to apply to an entire organization, specific accounts, or particular resources identified by resource tags. This flexibility allows organizations to standardize their telemetry collection processes. For instance, a central security team can implement a single rule that ensures CloudFront access logs and Security Hub findings from all resources across the organization are automatically directed to CloudWatch Logs.

The auto-enablement feature of CloudWatch is available across all AWS commercial regions. However, users should note that log ingestion will incur charges in accordance with CloudWatch Pricing.

While Amazon CloudFront access logs and AWS Security Hub CSPM findings support organization-wide enablement rules, Bedrock AgentCore memory and gateway telemetry are configured at the account level. For further details on setting up enablement rules in Amazon CloudWatch, users are encouraged to consult the Amazon CloudWatch documentation.