diff --git a/infra/main.tf b/infra/main.tf
index 617e2ea..850f12c 100644
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -47,6 +47,12 @@ variable "ec2_instance_type" {
   default = "c5.xlarge"
 }
 
+variable "ec2_ami" {
+  description = "EC2 AMI ID (leave empty for latest Amazon Linux 2023)"
+  type        = string
+  default     = ""
+}
+
 variable "scanning" {
   description = "Set to true during scanning phase, false for serving-only (tears down EC2, RDS, icons bucket)"
   type        = bool
@@ -197,6 +203,17 @@ resource "aws_s3_bucket" "site" {
   bucket = "everytab-site"
 }
 
+resource "aws_s3_bucket" "logs" {
+  bucket = "everytab-logs"
+}
+
+resource "aws_s3_bucket_ownership_controls" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
 # --- ACM Certificate (must be us-east-1 for CloudFront) ---
 
 resource "aws_acm_certificate" "site" {
@@ -260,6 +277,12 @@ resource "aws_cloudfront_distribution" "site" {
     minimum_protocol_version = "TLSv1.2_2021"
   }
 
+  logging_config {
+    bucket          = aws_s3_bucket.logs.bucket_domain_name
+    prefix          = "cloudfront/"
+    include_cookies = false
+  }
+
   restrictions {
     geo_restriction {
       restriction_type = "none"
@@ -318,7 +341,7 @@ resource "aws_db_instance" "main" {
 
 resource "aws_instance" "main" {
   count                = var.scanning ? 1 : 0
-  ami                  = data.aws_ami.al2023.id
+  ami                  = var.ec2_ami != "" ? var.ec2_ami : data.aws_ami.al2023.id
   instance_type        = var.ec2_instance_type
   key_name             = aws_key_pair.ec2[0].key_name
   vpc_security_group_ids = [aws_security_group.ec2[0].id]