AWS CloudFront distribution has access logging disabled
Description
Cloudfront access logs contain detailed information (requested object name, date and time of the access, client IP, access point, error code, etc) about each request made for your web content. This information can be extremely useful during security audits, or as input data for various analytics/reporting tools.
Pairing with Lambda and WAF logs could help expedite a response process and possibly enable blocking requests coming from IP addresses that generate multiple errors. These spikes in errors could possibly indicate they were made by attackers trying to find vulnerabilities within your web application.
Fix - Runtime
AWS Cloud Front Console
Procedure:
- Log in to the AWS Management Console at [https://console.aws.amazon.com/].
- Open the AMazon CloudFront console.
- Select a CloudFront Distribution that is missing access logging.
- From the menu, click Distribution Settings to get into the configuration page.
- From the General tab on the top menu, click Edit.
- In Distribution Settings tab scroll down and verify the Logging feature configuration status. If Logging is Off then it cannot create log files that contain detailed information about every user request that CloudFront receives.
- Click ON to initiate the Logging feature of CloudFront to log all viewer requests for files in your distribution.
CLI Command
- Create an S3 bucket to store your access logs.
- Create a JSON file to enable logging and set an S3 bucket location to configure a destination for logs files.
```json logging { "ETag": "ETAGID001", "DistributionConfig": { ... "Logging": { "Bucket": "cloudfront-logging.s3.amazonaws.com", "Enabled": true, }, } } }
3. Run update-distribution to update your distribution with your distribution id, the path of the configuration file, and your etag.
```shell
aws cloudfront update-distribution
--id ID000000000000
--distribution-config logging.json
--if-match ETAGID001
Fix - Buildtime
Terraform
- Resource: aws_cloudfront_distribution
- Argument: logging_config (Optional) - The logging configuration that controls how logs are written to your distribution (maximum one).
resource "aws_cloudfront_distribution" "s3_distribution" {
...
default_root_object = "index.html"
+ logging_config {
+ bucket = "mylogs.s3.amazonaws.com"
...
}
}
CloudFormation
- Resource: AWS::CloudFront::Distribution
- Argument: Properties.DistributionConfig.Logging/Bucket
Resources:
MyCloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
...
DistributionConfig:
...
+ Logging:
+ Bucket: myawslogbucket.s3.amazonaws.com