A team has set up a Cloudfront distribution with a web application hosted on an EC2 Instance as the Origin point. There is a security requirement to ensure that all requests via Cloudfront are recorded. Which of the following implementation steps need to be carried out? Choose 2 answers from the options given below.

Answer options:

A.Enable the standard log/access log for the CloudFront distribution.
B.Enable the VPC flow logs in the CloudFront distribution.
C.Create a destination S3 bucket for the logs.
D.Create a CloudWatch Log group to store the logs.

Answer – A and C
This is mentioned in the AWS Documentation.
When you enable logging for distribution, you specify the Amazon S3 bucket that you want CloudFront to store log files in. If you`re using Amazon S3 as your origin, we recommend that you do not use the same bucket for your log files. Using a separate bucket simplifies maintenance.
You can store the log files for multiple distributions in the same bucket. When you enable logging, you can specify an optional prefix for the file names. So you can keep track of which log files are associated with which distributions.
Option B is incorrect because, for the CloudFront logging, it should be standard logs or access logs instead of VPC flow logs.
Option D is incorrect because CloudFront logging uses S3 to store the logs instead of the CloudWatch Log Groups.
For more information on Cloudfront Access logs, please visit the below URL
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html