# CloudFront AWS Systems Manager Automation provides predefined runbooks for Amazon CloudFront. For more information about runbooks, see [Working with runbooks](https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-documents.html). For information about how to view runbook content, see [View runbook content](automation-runbook-reference.md#view-automation-json). **Topics** + [ # `AWSConfigRemediation-EnableCloudFrontDefaultRootObject` ](automation-aws-enable-cloudfront-root-object.md) + [ # `AWSConfigRemediation-EnableCloudFrontAccessLogs` ](automation-aws-enable-cloudfront-access-logs.md) + [ # `AWSConfigRemediation-EnableCloudFrontOriginAccessIdentity` ](automation-aws-enable-cloudfront-origin-access.md) + [ # `AWSConfigRemediation-EnableCloudFrontOriginFailover` ](automation-aws-enable-cloudfront-failover.md) + [ # `AWSConfigRemediation-EnableCloudFrontViewerPolicyHTTPS` ](automation-aws-enable-cloudfront-viewer-policy.md) # `AWSConfigRemediation-EnableCloudFrontDefaultRootObject` **Description** The `AWSConfigRemediation-EnableCloudFrontDefaultRootObject` runbook configures the default root object for the Amazon CloudFront (CloudFront) distribution that you specify. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCloudFrontDefaultRootObject) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + CloudFrontDistributionId Type: String Description: (Required) The ID of the CloudFront distribution that you want to configure the default root object for. + DefaultRootObject Type: String Description: (Required) The object that you want CloudFront to return when a viewer request points to your root URL. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `cloudfront:GetDistributionConfig` + `cloudfront:UpdateDistribution` **Document Steps** + `aws:executeScript` - Configures the default root object for the CloudFront distribution that you specify in the `CloudFrontDistributionId` parameter. # `AWSConfigRemediation-EnableCloudFrontAccessLogs` **Description** The `AWSConfigRemediation-EnableCloudFrontAccessLogs` runbook enables access logging for the Amazon CloudFront (CloudFront) distribution you specify. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCloudFrontAccessLogs) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + BucketName Type: String Description: (Required) The name of the Amazon Simple Storage Service (Amazon S3) bucket you want to store access logs in. Buckets in the af-south-1, ap-east-1, eu-south-1, and me-south-1 AWS Region are not supported. + CloudFrontId Type: String Description: (Required) The ID of the CloudFront distribution you want to enable access logging on. + IncludeCookies Type: Boolean Valid values: true \$1 false Description: (Required) Set this parameter to `true` , if you want cookies to be included in the access logs. + Prefix Type: String Description: (Optional) An optional string that you want CloudFront to prefix to the access log `filenames` for your distribution, for example, `myprefix/`. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `cloudfront:GetDistribution` + `cloudfront:GetDistributionConfig` + `cloudfront:UpdateDistribution` + `s3:GetBucketLocation` + `s3:GetBucketAcl` + `s3:PutBucketAcl` **Note** The `s3:GetBucketLocation` API can only be used for S3 buckets in same account. You cannot use it for cross-account S3 buckets. **Document Steps** + `aws:executeScript` - Enables access logging for the CloudFront distribution you specify in the `CloudFrontDistributionId` parameter. # `AWSConfigRemediation-EnableCloudFrontOriginAccessIdentity` **Description** The `AWSConfigRemediation-EnableCloudFrontOriginAccessIdentity` runbook enables origin access identity for the Amazon CloudFront (CloudFront) distribution you specify. This automation assigns the same CloudFront Origin Access Identity for all Origins of the Amazon Simple Storage Service (Amazon S3) Origin type without origin access identity for the CloudFront distribution you specify. This automation does not grant read permission to the origin access identity for CloudFront to access objects in your Amazon S3 bucket. You must update your Amazon S3 bucket permissions to allow access. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCloudFrontOriginAccessIdentity) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + CloudFrontDistributionId Type: String Description: (Required) The ID of the CloudFront distribution you want to enable origin failover on. + OriginAccessIdentityId Type: String Description: (Required) The ID of the CloudFront origin access identity to associate with the origin. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `cloudfront:GetDistributionConfig` + `cloudfront:UpdateDistribution` **Document Steps** + `aws:executeScript` - Enables origin access identity for the CloudFront distribution you specify in the `CloudFrontDistributionId` parameter, and verifies the origin access identity was assigned. # `AWSConfigRemediation-EnableCloudFrontOriginFailover` **Description** The `AWSConfigRemediation-EnableCloudFrontOriginFailover` runbook enables origin failover for the Amazon CloudFront (CloudFront) distribution you specify. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCloudFrontOriginFailover) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + CloudFrontDistributionId Type: String Description: (Required) The ID of the CloudFront distribution you want to enable origin failover on. + OriginGroupId Type: String Description: (Required) The ID of the origin group. + PrimaryOriginId Type: String Description: (Required) The ID of the primary origin in the origin group. + SecondaryOriginId Type: String Description: (Required) The ID of the secondary origin in the origin group. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `cloudfront:GetDistributionConfig` + `cloudfront:UpdateDistribution` **Document Steps** + `aws:executeScript` - Enables origin failover for the CloudFront distribution you specify in the `CloudFrontDistributionId` parameter, and verifies that failover has been enabled. # `AWSConfigRemediation-EnableCloudFrontViewerPolicyHTTPS` **Description** The `AWSConfigRemediation-EnableCloudFrontViewerPolicyHTTPS` runbook enables the viewer protocol policy for the Amazon CloudFront (CloudFront) distribution you specify. [Run this Automation (console)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSConfigRemediation-EnableCloudFrontViewerPolicyHTTPS) **Document type** Automation **Owner** Amazon **Platforms** Linux, macOS, Windows **Parameters** + AutomationAssumeRole Type: String Description: (Required) The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. + CloudFrontDistributionId Type: String Description: (Required) The ID of the CloudFront distribution you want to enable the viewer protocol policy on. + ViewerProtocolPolicy Type: String Valid values: https-only, redirect-to-https Description: (Required) The protocol that viewers can use to access the files in the origin. **Required IAM permissions** The `AutomationAssumeRole` parameter requires the following actions to use the runbook successfully. + `ssm:StartAutomationExecution` + `ssm:GetAutomationExecution` + `cloudfront:GetDistributionConfig` + `cloudfront:UpdateDistribution` + `cloudfront:GetDistribution` **Document Steps** + `aws:executeScript` - Enables the viewer protocol policy for the CloudFront distribution you specify in the `CloudFrontDistributionId` parameter, and verifies the policy was assigned.