MEDIUM
Source
Trivy/CSPM
CSPM ID
cloudfront-logging-enabled
ID
AVD-AWS-0010

Cloudfront distribution should have Access Logging configured

You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives

Impact

Logging provides vital information about access and usage

Follow the appropriate remediation steps below to resolve the issue.

Enable logging for CloudFront distributions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          TargetOriginId: target
          ViewerProtocolPolicy: https-only
        Enabled: true
        Logging:
          Bucket: logging-bucket
        Origins:
          - DomainName: https://some.domain
            Id: somedomain1
    Type: AWS::CloudFront::Distribution
  1. Log into to the AWS Management Console.
  2. Select the “Services” option and search for CloudFront. Step
  3. Select the “CloudFront Distribution” that needs to be verified.Step
  4. Click the “Distribution Settings” button from menu to get into the “CloudFront Distribution” configuration page. Step
  5. Click the “Edit” button from the “General” tab on the top menu. Step
  6. In the “Distribution Settings” tab scroll down and verify the “Logging” feature configuration status. If Logging is “Off” then it cannot create log files that contain detailed information about every user request that CloudFront receives.Step
  7. Click on the “ON” option to initiate the Logging feature of CloudFront to log all viewer requests for files in your distribution.Step
  8. Click on “Bucket for Logs” feature and specify the Amazon S3 bucket in which you want CloudFront to save web access logs.Step
  9. Click on Log Prefix which is optional for the names of log files.Step
  10. Scroll down and click on “Yes,Edit” to save the changes.Step
  11. Repeat the steps number 5 and 6 to establish any other “CloudFront Distribution” has Logging enabled or not.

Enable logging for CloudFront distributions

1
2
3
4
5
6
7
8
resource "aws_cloudfront_distribution" "good_example" {
  // other config
  logging_config {
    include_cookies = false
    bucket          = "mylogs.s3.amazonaws.com"
    prefix          = "myprefix"
  }
}