CloudFront access logging should be enabled¶
Description¶
CloudFront access logs record information about every user request that CloudFront receives. CloudFront distribution access logging should be enabled in order to track viewer requests for content, analyze statistics, and perform security audits.
Remediation Steps¶
AWS Console¶
Navigate to CloudFront.
Select the CloudFront distribution you want to update.
Click the Distribution Settings button.
In the General tab, click the Edit button.
In the Logging section, select the On radio button.
From the Buckets for Logs drop-down, select the AWS S3 bucket.
Click Yes, Edit.
AWS CLI¶
Retrieve configuration information for your distribution.
aws cloudfront get-distribution --id <id> --output json > distro.json
Note the ETag, we’ll use this in a later step.
cat distro.json | jq '.ETag' -r
Separate the distribution config from its metadata.
echo $(cat distro.json | jq '.Distribution.DistributionConfig') > config.json
Update the Logging section to enable access logs.
echo $(cat config.json | jq '.Logging.Enabled = true | .Logging.Bucket = "<bucket-dns-name>"') > config.json
Apply the new configuration.
aws cloudfront update-distribution --id <id> --distribution-config file://config.json --if-match <etag>
CloudFormation¶
JSON¶
Ensure that AWS::CloudFront::Distribution contains the following:
{
"Properties": {
"DistributionConfig": {
"Enabled": true,
"Logging": {
"Bucket": "yourbucketname.s2.amazonaws.com",
"IncludeCookies": true
}
}
}
}
JSON Example Configuration¶
{
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Enabled": true,
"Logging": {
"Bucket": "yourbucketname.s2.amazonaws.com",
"IncludeCookies": true
}
}
}
# other required fields here
}
YAML¶
Ensure that AWS::CloudFront::Distribution contains the following:
Properties:
DistributionConfig:
Enabled: true
Logging:
Bucket: yourbucketname.s2.amazonaws.com
IncludeCookies: true
YAML Example Configuration¶
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
Logging:
Bucket: yourbucketname.s2.amazonaws.com
IncludeCookies: true
# other required fields here
Terraform¶
Ensure that the aws_cloudfront_distribution
logging_config
block includes abucket
field that specifies a link to the Amazon S3 bucket to store access logs in.
Example Configuration¶
resource "aws_cloudfront_distribution" "example" {
logging_config {
bucket = "awscflogs.s3.amazonaws.com"
}
# other required fields here
}