Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Cloudfront >

Enable Logging

MEDIUM
Source
Trivy/CSPM
CSPM ID
cloudfront-logging-enabled
ID
AVD-AWS-0010
cloudformation management_console terraform

Cloudfront distribution should have Access Logging configured

You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives

Impact

Logging provides vital information about access and usage

Follow the appropriate remediation steps below to resolve the issue.

Enable logging for CloudFront distributions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

Resources:
  GoodExample:
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          TargetOriginId: target
          ViewerProtocolPolicy: https-only
        Enabled: true
        Logging:
          Bucket: logging-bucket
        Origins:
          - DomainName: https://some.domain
            Id: somedomain1
    Type: AWS::CloudFront::Distribution

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for CloudFront. Step

  3. Select the “CloudFront Distribution” that needs to be verified.Step

  4. Click on the selected Distribution to get into the CloudFront Distribution configuration page. Step

  5. In the “General” tab scroll down to settings and verify the “Standard logging” feature configuration status. If Logging is “Off” then it cannot create log files that contain detailed information about every user request that CloudFront receives.Step

  6. To change the status click on “Edit” to get to the “Edit Settings” page. Scroll down to “Standard Logging” and select the “On” option to initiate the Logging feature of CloudFront to log all viewer requests for files in your distribution.Step

  7. Click on “Bucket for Logs” feature and specify the Amazon S3 bucket in which you want CloudFront to save web access logs.Step

  8. Click on Log Prefix which is optional for the names of log files.Step

  9. Scroll down and click on “Save changes” to save the new settings.Step

  10. Repeat the steps number 3 to 9 to verify if any other “CloudFront Distribution” has Logging enabled or not.

Enable logging for CloudFront distributions

1
2
3
4
5
6
7
8
9

 resource "aws_cloudfront_distribution" "good_example" {
 	// other config
 	logging_config {
 		include_cookies = false
 		bucket          = "mylogs.s3.amazonaws.com"
 		prefix          = "myprefix"
 	}
 }
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use