Log Forwarding: CloudFront (AWS CLI) log-forwarding-cloudfront-cli

Last update: April 20, 2026

Topics:
Agentic Traffic

This page details how to forward CDN logs from CloudFront to Adobe’s S3 bucket for agentic traffic data collection. You will use the LLM Optimizer CDN configuration page to onboard to LLM Optimizer. After the onboarding process is complete, follow the steps provided on this page to configure log forwarding by using the AWS Command Line Interface in Step 2.

NOTE

This guide explains how to configure log forwarding by using the AWS Command Line Interface. If you want to configure log forwarding by using the CloudFront UI, see Log Forwarding: CloudFront.

Step 1: Onboard in LLM Optimizer step-1

On the LLM Optimizer page https://llmo.now/:

Go to the Customer Configuration Dashboard.
Click the CDN Configuration tab.
Click Get Started.
Next to Activate AI Traffic Insights, click Configure.
Enter your AWS Account ID.

Select CloudFront (BYOCDN).
Click Onboard.

Step 2: Set up CDN log forwarding with AWS CLI step-2-cli

Setup CDN log forwarding with AWS CLI as follows:

Configure AWS CLI credentials

Setup AWS CLI credential MAC. Open ~/.aws/credentials and enter the values for the variables below:

[LLMO]
aws_access_key_id=<VALUE_OF_ACCESS_KEY_ID>
aws_secret_access_key=<VALUE_OF_SECRET_KEY>
aws_session_token=<ONLY_IF_USING_SECURITY_TOKEN_SERVICE> ## Optional

Test the connection

Run the command below to test connection:

aws sts get-caller-identity --profile LLMO

Example of successful output:

aws sts get-caller-identity --profile LLMO
{
    "UserId": "AxxxxxxxxxxxP:user",
    "Account": "012345678912",
    "Arn": "arn:aws:sts::012345678912:assumed-role/klam-master-role-BatlY3dnPVinQLC/user"
}

Initialize variables

Replace REPLACEME123@AdobeOrg with your organization Adobe IMS Org ID and run the command below. The output ID of this command will be referred to as TRANSFORM_IMS_ID.

echo "REPLACEME123@AdobeOrg" | sed 's/@AdobeOrg$//' | tr '[:upper:]' '[:lower:]'

Enter the values for CUSTOMER, CDN_ID, ACCT1, and TRANSFORM_IMS_ID following the guideline below and then run commands from your terminal.

export PROFILE1=LLMO
export REGION1=us-east-1
export CUSTOMER=<CUSTOMER_NAME> ## No Space, user letters,numbers and dash
export CDN_ID=<YOUR_CLOUDFRONT_DISTRIBUTION_ID>
export ACCT1=<YOUR_AWS_ACCOUNT_NUMBER>
export DELIVERY_DEST_ARN=arn:aws:logs:us-east-1:640168421876:delivery-destination:cdn-logs-<TRANSFORM_IMS_ID>-ams  ## Replace TRANSFORM_IMS_ID with the output of the command above

Create the delivery source

From the same terminal in which step 3 was executed, run the command below:

aws logs put-delivery-source --name llmo-cf-${CUSTOMER}-${CDN_ID} \
  --profile $PROFILE1 --region $REGION1 \
  --resource-arn arn:aws:cloudfront::${ACCT1}:distribution/${CDN_ID} \
  --log-type ACCESS_LOGS

IMPORTANT

If you get the following error, search for the existing delivery source: An error occurred (ConflictException) when calling the PutDeliverySource operation: This ResourceId has already been used in another Delivery Source in this account.

To search for the existing delivery source, run this command:

code language-bash
`aws logs describe-delivery-sources --region us-east-1 \ --query "deliverySources[?contains(resourceArns[0], '<CDN DistributionID>')]"`

In the next command, use the delivery source name from the results of the above command.

Create the delivery configuration

aws logs create-delivery \
  --profile "$PROFILE1" --region "$REGION1" \
  --delivery-source-name "llmo-cf-${CUSTOMER}-${CDN_ID}" \
  --delivery-destination-arn $DELIVERY_DEST_ARN \
  --s3-delivery-configuration '{"suffixPath":"/{yyyy}/{MM}/{dd}/{HH}"}' \
  --record-fields 'date' 'time' 'x-edge-location' 'cs-method' 'cs(Host)' 'cs-uri-stem' 'sc-status' 'cs(Referer)' 'cs(User-Agent)' 'time-to-first-byte' 'sc-content-type' 'x-host-header'

recommendation-more-help

llm-optimizer-help-main-toc