Skip to main content

Connecting your website to Agent Traffic using CloudFront

This guide walks you through configuring AWS CloudFront to send access logs to Scrunch for bot traffic analytics. The setup is now completely self-service and takes about 15 minutes to complete.

Updated today

Prerequisites

Before you begin, make sure you have:

  • An active Scrunch account with Agent Traffic enabled

  • AWS Console access with appropriate permissions (see below)

  • At least one CloudFront distribution running

  • Your AWS Account ID (12-digit number)

  • Your AWS Canonical User ID (64-character hexadecimal string)

Required AWS Permissions

You’ll need the following permissions:

For CloudFront distributions:

  • cloudfront:GetDistribution

  • cloudfront:GetDistributionConfig

  • cloudfront:UpdateDistribution

For finding your AWS Canonical User ID (one-time):

  • Access to S3 console or AWS CLI

Or simply use an AWS Administrator account.

Overview

The setup process has four main steps that take about 15 minutes total:

  1. Find your AWS Account ID (1 minute): Locate your 12-digit AWS account number

  2. Find your AWS Canonical User ID (2 minutes): Retrieve your 64-character canonical ID from S3

  3. Create your dedicated S3 bucket (2 minutes): Add your domain in Scrunch and automatically create your log bucket

  4. Configure CloudFront logging (5 minutes per distribution): Enable Standard Logging on each CloudFront distribution

Note: Steps 1-3 are done once per Scrunch account. Step 4 is repeated for each CloudFront distribution you want to monitor.

Step 1: Find Your AWS Account ID

Your AWS Account ID is a 12-digit number that identifies your AWS account. Steps to get it: https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html

Step 2: Find Your AWS Canonical User ID

Your AWS Canonical User ID is a 64-character hexadecimal string that CloudFront uses to grant access to S3 buckets for log delivery. Steps to get it in the same document as above: https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html

Note: Make sure these accounts are the ones that your CloudFront distribution belongs to!

Step 3: Add Your Domain and Create Your S3 Bucket

Now you’ll use the Scrunch dashboard to add your domain and automatically create a dedicated S3 bucket for your CloudFront logs.

  1. Log into your Scrunch account at app.scrunchai.com

  2. Navigate to Agent Traffic from the main menu

  3. Click the “+ Connect Site” button

  4. Fill in the domain creation form:

    • Domain name: Enter the domain your CloudFront distribution’s serves (e.g:example.com)

    • Platform: Select “CloudFront”

  5. You will see a “Connect New Site” modal:

  • Enter your AWS credentials:

    • AWS Account ID: Paste your 12-digit AWS Account ID (from Step 1)

    • AWS Canonical User ID: Paste your 64-character Canonical ID (from Step 2)

    • Press “Create Site”. At this step Scrunch will create an S3 bucket on our end for your brand. This is a one-time only requirement. Moving forward new domains can be added without this step.

    • Within a few seconds, Scrunch will:

    • Create a dedicated S3 bucket in our AWS account specifically for your logs

    • Configure the bucket with proper permissions for your AWS account to deliver CloudFront logs

    • Display your bucket name in the domain header (format: scrunch-cloudfront-logs-XXXXX

6. You’ll be taken to your domain’s detail page (At which point the Bucket is Created). You can see the Bucket Name on that page now. This is what you need to use on the next steps. Write down your S3 bucket name - you’ll need it in Step 4.

Why do you need both IDs?

  • AWS Account ID: Identifies your AWS account

  • Canonical User ID: Allows CloudFront (which uses the canonical ID system) to write logs to the S3 bucket on your behalf

Step 4: Configure CloudFront Standard Logging

Now that your dedicated S3 bucket is created, configure each CloudFront distribution to send logs to it.

Repeat these steps for each CloudFront distribution you want to monitor:

4a: Open CloudFront Console

  1. Log into the AWS Console

  2. Navigate to CloudFront (search for “CloudFront” in the services menu)

  3. Click on the distribution you want to integrate with Agent Traffic

4b: Navigate to Logging Settings

  1. In your distribution’s details page, click on the “Logging” tab

  2. Look for the “Standard log destinations” section

  3. Click the “Add” button

4c: Configure Standard Logging

Fill in the logging configuration:

  1. Destination type: Select “Amazon S3 (Legacy)”

  2. Destination S3 Bucket: Enter your dedicated bucket ARN from Step 3.

    The format is: arn:aws:s3:::YOUR-BUCKET-NAME

    Example: If your bucket name (shown in Scrunch dashboard) is scrunch-cloudfront-logs-12345, enter: arn:aws:s3:::scrunch-cloudfront-logs-12345

  3. Log prefix: Enter your AWS Account ID (the 12-digit number from Step 1)

    Example: 123456789012

  4. Leave all other settings as defaults

  5. Click “Add” or “Save”

Important:

  • Use YOUR dedicated bucket name (displayed in Scrunch dashboard header)

  • Use YOUR AWS Account ID as the log prefix

  • Double-check the bucket ARN format: arn:aws:s3:::bucket-name (three colons, no trailing slash)

4d: Verify Configuration

After saving:

  1. You should see the logging configuration listed under “Standard log destinations”

  2. The status should show as “Enabled” or “Active”

  3. CloudFront will begin delivering logs within 15-60 minutes

If you see an “Access Denied” error, verify:

  • Your bucket ARN is correct and matches the name shown in Scrunch dashboard

  • You entered both AWS Account ID and Canonical User ID correctly in Step 3

Verifying Data Flow

After completing the setup:

  1. Generate traffic: Visit your website to create some CloudFront requests

  2. Wait for logs: CloudFront typically delivers logs to S3 within 15-60 minutes of the first request

  3. Check Scrunch dashboard:

    • Log into Scrunch at app.scrunchai.com

    • Navigate to Agent Traffic

    • Select your domain from the list

    • You should see traffic data appearing within 1-2 hours of enabling logging

Your domain status will automatically update to “Active” once we’ve successfully imported your first batch of logs.

Adding Additional Domains/Distributions

If you have multiple CloudFront distributions (for different domains or environments):

Same AWS Account

If all your distributions are in the same AWS account:

  1. You only need to create ONE S3 bucket (Step 3) per Scrunch account

  2. The same bucket can receive logs from multiple CloudFront distributions

  3. Simply repeat Step 4 for each additional distribution

  4. Use the same bucket ARN and AWS Account ID for all distributions

Different AWS Accounts

If you have CloudFront distributions in multiple AWS accounts:

  1. You’ll need to provide both AWS Account IDs and Canonical User IDs for each account

  2. Contact Scrunch support to set up additional buckets for different AWS accounts

  3. Each AWS account will deliver logs to the same shared bucket (we’ll configure permissions for each account)

Multiple Domains

For each additional domain you want to monitor:

  1. Add the domain in Scrunch Agent Traffic dashboard

  2. You don’t need to create a new S3 bucket - logs from all your domains go to the same bucket

  3. Configure CloudFront logging (Step 4) for that domain’s distribution

Troubleshooting

“Access Denied” or “Permission Denied” when configuring CloudFront logging

This is the most common issue. Possible causes:

  1. Incorrect AWS Canonical User ID: Double-check that you copied the full 64-character string (not your AWS Account ID)

  2. Incorrect AWS Account ID: Verify you entered the 12-digit number correctly in Step 3

  3. Typo in bucket ARN: Ensure the bucket ARN matches exactly what’s shown in Scrunch dashboard (check for extra spaces or typos)

  4. Wrong bucket name: Make sure you’re using YOUR dedicated bucket name from Scrunch dashboard, not scrunch-cloudfront-logs

Solution:

  1. Go back to Scrunch dashboard and verify your bucket name in the site header

  2. Try creating the bucket again in Step 3 if you think you entered incorrect AWS credentials

  3. Verify the bucket ARN in CloudFront matches: arn:aws:s3:::YOUR-EXACT-BUCKET-NAME

No data appearing in Scrunch dashboard

Check CloudFront logging status:

  1. Go to CloudFront console → Your distribution → Logging tab

  2. Verify that Standard logging shows as “Enabled”

  3. Confirm the S3 bucket ARN matches your dedicated bucket (shown in Scrunch dashboard)

  4. Confirm the log prefix is your AWS Account ID (12 digits)

Generate test traffic:

  • Visit your website multiple times from different browsers

  • Wait at least 60 minutes for logs to be delivered

  • CloudFront doesn’t deliver logs instantly - some delay is normal

Check Scrunch dashboard:

  1. Navigate to Agent Traffic → Your domain

  2. Look at the site status in the header

  3. The S3 bucket name should be displayed

  4. Domain status will change to “Active” once logs are processed

CloudFront shows logging enabled but no logs appearing

  • CloudFront only delivers logs when there’s actual traffic to your distribution

  • Very low-traffic sites may not generate log files frequently

  • Logs can take 15-60 minutes to appear after enabling logging

  • Some CloudFront distributions may batch logs and deliver them less frequently

Can’t find my AWS Canonical User ID

See Step 2 above for detailed instructions. Remember:

  • It’s a 64-character hexadecimal string (like a1b2c3d4e5f6...)

  • It’s different from your AWS Account ID

  • Found in S3 Console → Any bucket → Permissions → ACL

  • Can also get it via AWS CLI: aws s3api list-buckets --query Owner.ID --output text

Bucket creation fails in Scrunch dashboard

If you see an error when clicking “Create Bucket” in Step 3:

  1. Verify you entered both AWS Account ID (12 digits) and Canonical User ID (64 characters)

  2. Check that both IDs are from the same AWS account

  3. Ensure you have no typos or extra spaces

  4. Try again - if it still fails, contact Scrunch support

Multiple distributions - do I need to set up each one?

Yes, you need to enable Standard Logging on each CloudFront distribution you want to monitor. However:

  • You only create ONE S3 bucket (Step 3) per Scrunch account

  • All your distributions use the same bucket ARN

  • The log prefix (your AWS Account ID) stays the same for all distributions

  • Each distribution’s logs are automatically routed to the correct domain in Scrunch

Important Notes

Security and Privacy

  • CloudFront Standard Logs do not include cookie data by default

  • Logs contain IP addresses, user agents, and request paths

  • All data is encrypted in transit and at rest

  • Scrunch only processes logs for domains you’ve explicitly added to Agent Traffic

Costs

Setting up CloudFront Standard Logging has no AWS costs for you:

  • CloudFront Standard Logs: Free (no additional charge from AWS)

  • S3 storage: The dedicated bucket is in Scrunch’s AWS account, not yours - no charges to you

  • S3 PUT requests: Minimal cost (typically $0.01-$0.50/month depending on traffic volume) charged to Scrunch, not you

  • No data transfer charges

Logging Delay

  • CloudFront delivers logs to S3 within 15-60 minutes of requests

  • Scrunch imports new logs every 15 minutes

  • Expect a total delay of 30-90 minutes from request to data appearing in your dashboard

  • This is normal behavior for CloudFront Standard Logs

Disabling Logging

To stop sending logs to Scrunch:

  1. Go to CloudFront console → Your distribution → Logging tab

  2. Find the “Standard log destinations” section

  3. Click “Remove” or “Delete” next to the Scrunch logging configuration

  4. Confirm the removal

Note: This won’t affect your CloudFront distribution’s functionality - it only stops log delivery.

Support

If you encounter any issues during setup:

When contacting support, please include:

  • Your AWS Account ID

  • The CloudFront distribution ID you’re trying to configure

  • Any error messages you’re seeing

  • Screenshots of your configuration (if applicable)

Summary Checklist

Use this checklist to track your progress:

Step 1: AWS Account ID (1 minute)

  • [ ] Logged into AWS Console

  • [ ] Found my 12-digit AWS Account ID

  • [ ] Copied and saved the Account ID

Step 2: AWS Canonical User ID (2 minutes)

  • [ ] Located my 64-character Canonical User ID using S3 Console or AWS CLI

  • [ ] Copied and saved the Canonical User ID

  • [ ] Verified it’s the 64-character hex string, not my Account ID

Step 3: Create S3 Bucket (2 minutes)

  • [ ] Logged into Scrunch at app.scrunchai.com

  • [ ] Navigated to Agent Traffic

  • [ ] Added my domain with “CloudFront” platform

  • [ ] Clicked “Create S3 Bucket” on the domain detail page

  • [ ] Entered both AWS Account ID and Canonical User ID

  • [ ] Successfully created bucket

  • [ ] Noted my bucket name displayed in site header (e.g., scrunch-cloudfront-logs-12345)

Step 4: Configure CloudFront Logging (5 minutes per distribution)

For each CloudFront distribution:

  • [ ] Opened CloudFront console and selected distribution

  • [ ] Navigated to Logging tab → Standard log destinations

  • [ ] Clicked “Add” to create new logging configuration

  • [ ] Added S3 logging configuration:

    • [ ] Destination type: Amazon S3 (Legacy)

    • [ ] S3 bucket ARN: arn:aws:s3:::MY-BUCKET-NAME (from Step 3)

    • [ ] Log prefix: My AWS Account ID (from Step 1)

  • [ ] Saved configuration successfully (no “Access Denied” errors)

  • [ ] Verified logging shows as “Enabled”

Verification

  • [ ] Generated test traffic to website (visited site multiple times)

  • [ ] Waited 1-2 hours for logs to be delivered and processed

  • [ ] Checked Scrunch Agent Traffic dashboard

  • [ ] Verified domain status changed to “Active”

  • [ ] Confirmed bot traffic data is appearing

For Additional Distributions

  • [ ] Repeated Step 4 for each additional CloudFront distribution

  • [ ] Used the same bucket ARN and AWS Account ID for all distributions

  • [ ] Verified each domain is added in Scrunch Agent Traffic

Related Articles
Connecting the AI Traffic Tool to your Google Analytics Account
Connecting your website to Agent Traffic using Cloudflare Workers
Connecting your website to Agent Traffic using Cloudflare Enterprise Logpush
Connecting your website to Agent Traffic using Vercel
Connecting your website to Agent Traffic using WordPress
Did this answer your question?