CloudFront Logging Enabled
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The Cloudfront access logs contain detailed information (requested object name, date and time of the access, client IP, access point, error code, etc) about each request made for your web content, information that can be extremely useful during security audits or as input data for various analytics/reporting tools. You can also use this feature in combination with AWS Lambda and AWS WAF to process the logging data and block the requests coming from those IP addresses that generate too many error codes as the requests that generate these errors are often made by attackers trying to find vulnerabilities within your website/web application.
To determine if your Cloudfront CDN distributions have access logging enabled, perform the following:
01 Login to the AWS Management Console.
02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.
03 On the Distributions page, select the CDN distribution that you want to examine.
04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.
05 On the General tab click the Edit button.
06 On the Distribution Settings page, verify the Logging feature configuration status. If Logging is set to Off:
the selected distribution is not tracking any requests made to your web content.
07 Repeat steps no. 3 – 6 for each Cloudfront CDN distribution available in your AWS account.
01 Run list-distributions command (OSX/Linux/UNIX) with appropriate filters to list the IDs of all Cloudfront distributions available in your account:
aws cloudfront list-distributions
--output table
--query 'DistributionList.Items[*].Id'
02
The command output should return a table with the requested metadata, as shown in the example below:
-------------------- | ListDistributions| +------------------+ | E2RX3E6TS8SFB9 | | D11A16G5KZMUXI | | G3E6G5KZMPDT0Y | +------------------+
03
Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier to expose the current Cloudfront distribution logging configuration:
aws cloudfront get-distribution
--id E2RX3E6TS8SFB9
--query 'Distribution.DistributionConfig.Logging'
04
The command output should return the logging configuration metadata:
{
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
}
If the Enabled property value is set to false (as shown in the example above), the Cloudfront distribution selected is not tracking any requests made to your web content.
05 Repeat step no. 3 and 4 to examine other distributions available within your AWS account.
To enable access logging for your Cloudfront CDN distributions, perform the following:
01 Login to the AWS Management Console.
02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.
03 On the Distributions page, select the CDN distribution that you want to update.
04 Click the Distribution Settings button from the dashboard top menu to access the configuration page.
05 On the General tab click the Edit button.
06 On the Distribution Settings page, locate the Logging section and perform the following actions:
07 Repeat steps no. 3 – 6 to update other Cloudfront distributions available in your AWS account in order to enable access logging.
01 Run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket that will store your Cloudfront distribution(s) log files:
aws s3api create-bucket
--bucket aws-cf-access-logs
--region us-east-1
02 The command output should return the new S3 bucket location:
{
"Location": "/aws-cf-access-logs"
}
03 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from your Cloudfront distribution. The following command returns the configuration of a distribution with the access logging feature disabled, identified by the ID E2RX3E6TS8SFB9:
aws cloudfront get-distribution-config
--id E2RX3E6TS8SFB9
04 The command output should return the selected distribution configuration information:
{
"ETag": "E3U5EKI9N4FXZO",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
...
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Items": [
"media.cloudconformity.com"
],
"Quantity": 1
}
}
}
05 Modify the configuration information returned at the previous step to enable access logging by editing the Logging config object (highlighted) and save the new configuration in a JSON document named distconfig-logging-enabled.json:
{
"ETag": "E3U5EKI9N4FXZO",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"Logging": {
"Bucket": "aws-cf-access-logs.s3.amazonaws.com",
"Prefix": "cloudconformity",
"Enabled": true,
"IncludeCookies": true
},
"WebACLId": "",
"Origins": {
"Items": [
{
"OriginPath": "/static/images",
"CustomOriginConfig": {
"OriginProtocolPolicy": "https-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"TLSv1.2"
],
"Quantity": 1
},
"HTTPSPort": 443
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "custom-cloudconformity.com-images",
"DomainName": "cloudconformity.com"
}
],
"Quantity": 1
},
"DefaultRootObject": "index.html",
"PriceClass": "PriceClass_All",
"Enabled": true,
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TargetOriginId": "custom-cloudconformity.com-images",
"ViewerProtocolPolicy": "https-only",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"DELETE",
"POST",
"GET",
"OPTIONS",
"PUT",
"PATCH"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET",
"OPTIONS"
],
"Quantity": 3
},
"Quantity": 7
},
"MinTTL": 0,
"Compress": false
},
"CallerReference": "my-cf-web-distribution-2016-08-05",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "SSLv3",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Items": [
"media.cloudconformity.com"
],
"Quantity": 1
}
}
}
06 Run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution. The following command example updates a CloudFront CDN web distribution with the ID E2RX3E6TS8SFB9 and the ETag E3U5EKI9N4FXZO (an ETag is a header ID exposed when a CDN distribution configuration is retrieved, e.g. "ETag": "E3U5EKI9N4FXZO", as shown in the previous step), using a JSON configuration document with the file name distconfig-logging-enabled.json:
aws cloudfront update-distribution
--id E2RX3E6TS8SFB9
--distribution-config file://distconfig-logging-enabled.json
--if-match E3U5EKI9N4FXZO
07The command output should return the metadata for the updated distribution:
{
"Distribution": {
"Status": "InProgress",
"DomainName": "d1ams0mx9tn8g.cloudfront.net",
"InProgressInvalidationBatches": 0,
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"Logging": {
"Bucket": "aws-cf-access-logs.s3.amazonaws.com",
"Prefix": "cloudconformity",
"Enabled": true,
"IncludeCookies": true
},
...
"Aliases": {
"Items": [
"media.cloudconformity.com"
],
"Quantity": 1
}
},
"ActiveTrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"LastModifiedTime": "2016-08-26T14:23:10.873Z",
"Id": "E2RX3E6TS8SFB9"
},
"ETag": "E3U5EKI9N4FXZO"
}
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s Chat