So far, I think this is a new feature. Until then, lambda was required to move the logs from S3 to cloud_watch..

https://aws.amazon.com/blogs/mt/sending-cloudfront-standard-logs-to-cloudwatch-logs-for-analysis/

My approach is to provision cloud_watch log_group and km key and attach CloudFront to CloudWatch_log_group via web. Probably AWS Cli will have support already for this.. But for now, I will wait a bit for official implementation.

Also, there is another solution called real-time logs using kinesis.

It seems that there is already work started in the provider. https://github.com/hashicorp/terraform-provider-aws/issues/40250