1. 在主账户上创建Amazon S3存储桶，并设置为允许所有子账户的CloudFront实例将日志写入该存储桶中。示例代码：

{
    "Version": "2012-10-17",
    "Id": "PolicyForCloudFrontLoggingBucket",
    "Statement": [
        {
            "Sid": "AllowBucketAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "s3:GetBucketAcl",
                "s3:PutBucketAcl"
            ],
            "Resource": "arn:aws:s3:::example-log-bucket"
        },
        {
            "Sid": "AllowObjectAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::example-log-bucket/AWSLogs/123456789012/*"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

2. 在每个子账户的CloudFront实例上启用访问日志记录，并配置日志格式。示例代码：

{
    "TrustedSigners": {
        "Enabled": false,
        "Quantity": 0
    },
    "ViewerProtocolPolicy": "redirect-to-https",
    "Logging": {
        "Enabled": true,
        "IncludeCookies": false,
        "Bucket": "example-log-bucket",
        "Prefix": "AWSLogs/123456789012",
        "Format": "{ \"timestamp\":\"$time_iso8601\", \"distribution\":\"$distribution\", \"containingBucket\":\"$containing_bucket\", \"path\":\"$key\", \"ip\":\"$remote_addr\", \"referer\":\"$http_referer\", \"useragent\":\"$http_user_agent\", \"status\":\"