Ensure AWS CloudFront distribution has access logging enabled

Error: AWS CloudFront distribution has access logging disabled

Bridgecrew Policy ID: BC_AWS_LOGGING_20
Checkov Check ID: CKV_AWS_86
Severity: MEDIUM

AWS CloudFront distribution has access logging disabled

Description

Cloudfront access logs contain detailed information (requested object name, date and time of the access, client IP, access point, error code, etc) about each request made for your web content. This information can be extremely useful during security audits, or as input data for various analytics/reporting tools.

Pairing with Lambda and WAF logs could help expedite a response process and possibly enable blocking requests coming from IP addresses that generate multiple errors. These spikes in errors could possibly indicate they were made by attackers trying to find vulnerabilities within your web application.

Fix - Runtime

AWS Cloud Front Console

Procedure:

  1. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
  2. Open the AMazon CloudFront console.
  3. Select a CloudFront Distribution that is missing access logging.
  4. From the menu, click Distribution Settings to get into the configuration page.
  5. From the General tab on the top menu, click Edit.
  6. In Distribution Settings tab scroll down and verify the Logging feature configuration status. If Logging is Off then it cannot create log files that contain detailed information about every user request that CloudFront receives.
  7. Click ON to initiate the Logging feature of CloudFront to log all viewer requests for files in your distribution.

CLI Command

  1. Create an S3 bucket to store your access logs.
  2. Create a JSON file to enable logging and set an S3 bucket location to configure a destination for logs files.
{
      "ETag": "ETAGID001",
      "DistributionConfig": {
          ...
          "Logging": {
            "Bucket": "cloudfront-logging.s3.amazonaws.com",
            "Enabled": true,
          },
        }
      }
    }
  1. Run update-distribution to update your distribution with your distribution id, the path of the configuration file, and your etag.
aws cloudfront update-distribution
        --id ID000000000000
        --distribution-config logging.json
        --if-match ETAGID001

Fix - Buildtime

Terraform

  • Resource: aws_cloudfront_distribution
  • Argument: logging_config (Optional) - The logging configuration that controls how logs are written to your distribution (maximum one).
resource "aws_cloudfront_distribution" "s3_distribution" {
  ...
  default_root_object = "index.html"
+ logging_config {
+   bucket          = "mylogs.s3.amazonaws.com"
    ...
  }
}

CloudFormation

  • Resource: AWS::CloudFront::Distribution
  • Argument: Properties.DistributionConfig.Logging/Bucket
Resources:
  MyCloudFrontDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
    	...
      DistributionConfig:
        ...
+       Logging:
+         Bucket: myawslogbucket.s3.amazonaws.com