CloudFront Logging Enabled

Risk level: Medium (should be achieved)

Rule ID: CF-005

Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

The Cloudfront access logs contain detailed information (requested object name, date and time of the access, client IP, access point, error code, etc) about each request made for your web content, information that can be extremely useful during security audits or as input data for various analytics/reporting tools. You can also use this feature in combination with AWS Lambda and AWS WAF to process the logging data and block the requests coming from those IP addresses that generate too many error codes as the requests that generate these errors are often made by attackers trying to find vulnerabilities within your website/web application.

Audit

To determine if your Cloudfront CDN distributions have access logging enabled, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to examine.

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 On the General tab click the Edit button.

06 On the Distribution Settings page, verify the Logging feature configuration status. If Logging is set to Off:

the selected distribution is not tracking any requests made to your web content.

07 Repeat steps no. 3 – 6 for each Cloudfront CDN distribution available in your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) with appropriate filters to list the IDs of all Cloudfront distributions available in your account:

aws cloudfront list-distributions
    --output table
    --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested metadata, as shown in the example below:

--------------------
| ListDistributions|
+------------------+
|  E2RX3E6TS8SFB9  |
|  D11A16G5KZMUXI  |
|  G3E6G5KZMPDT0Y  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier to expose the current Cloudfront distribution logging configuration:

aws cloudfront get-distribution
    --id E2RX3E6TS8SFB9
    --query 'Distribution.DistributionConfig.Logging'

04 The command output should return the logging configuration metadata:

{
    "Bucket": "",
    "Prefix": "",
    "Enabled": false,
    "IncludeCookies": false
}

If the Enabled property value is set to false (as shown in the example above), the Cloudfront distribution selected is not tracking any requests made to your web content.

05 Repeat step no. 3 and 4 to examine other distributions available within your AWS account.

Remediation / Resolution

To enable access logging for your Cloudfront CDN distributions, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to update.

04 Click the Distribution Settings button from the dashboard top menu to access the configuration page.

05 On the General tab click the Edit button.

06 On the Distribution Settings page, locate the Logging section and perform the following actions:

Select On next to Logging to enable the feature.
In the Bucket for Logs box, specify the AWS S3 bucket where you want CloudFront to store the log files. If the selected distribution origin is also an S3 bucket, Cloud Conformity recommends selecting a different bucket for storing the access logs.
(Optional) In the Log Prefix box, enter a unique prefix for the log file names in order to keep track of which access log files are associated with which distributions.
(Optional) Select On next to Cookie Logging to include tracking cookies in the logging process.

07 Repeat steps no. 3 – 6 to update other Cloudfront distributions available in your AWS account in order to enable access logging.

Using AWS CLI

01 Run create-bucket command (OSX/Linux/UNIX) to create the S3 bucket that will store your Cloudfront distribution(s) log files:

aws s3api create-bucket
    --bucket aws-cf-access-logs
    --region us-east-1

02 The command output should return the new S3 bucket location:

{
    "Location": "/aws-cf-access-logs"
}

03 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from your Cloudfront distribution. The following command returns the configuration of a distribution with the access logging feature disabled, identified by the ID E2RX3E6TS8SFB9:

aws cloudfront get-distribution-config
    --id E2RX3E6TS8SFB9

04 The command output should return the selected distribution configuration information:

{
    "ETag": "E3U5EKI9N4FXZO",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },

	  ...

        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Items": [
                "media.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

05 Modify the configuration information returned at the previous step to enable access logging by editing the Logging config object (highlighted) and save the new configuration in a JSON document named distconfig-logging-enabled.json:

{
    "ETag": "E3U5EKI9N4FXZO",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "Logging": {
            "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
            "Prefix": "cloudconformity",
            "Enabled": true,
            "IncludeCookies": true
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "/static/images",
                    "CustomOriginConfig": {
                        "OriginProtocolPolicy": "https-only",
                        "HTTPPort": 80,
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1.2"
                            ],
                            "Quantity": 1
                        },
                        "HTTPSPort": 443
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "custom-cloudconformity.com-images",
                    "DomainName": "cloudconformity.com"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "index.html",
        "PriceClass": "PriceClass_All",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "TargetOriginId": "custom-cloudconformity.com-images",
            "ViewerProtocolPolicy": "https-only",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "DELETE",
                    "POST",
                    "GET",
                    "OPTIONS",
                    "PUT",
                    "PATCH"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET",
                        "OPTIONS"
                    ],
                    "Quantity": 3
                },
                "Quantity": 7
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "my-cf-web-distribution-2016-08-05",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "SSLv3",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Items": [
                "media.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

06 Run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution. The following command example updates a CloudFront CDN web distribution with the ID E2RX3E6TS8SFB9 and the ETag E3U5EKI9N4FXZO (an ETag is a header ID exposed when a CDN distribution configuration is retrieved, e.g. "ETag": "E3U5EKI9N4FXZO", as shown in the previous step), using a JSON configuration document with the file name distconfig-logging-enabled.json:

aws cloudfront update-distribution
    --id E2RX3E6TS8SFB9
    --distribution-config file://distconfig-logging-enabled.json
    --if-match E3U5EKI9N4FXZO

07The command output should return the metadata for the updated distribution:

{
    "Distribution": {
        "Status": "InProgress",
        "DomainName": "d1ams0mx9tn8g.cloudfront.net",
        "InProgressInvalidationBatches": 0,
        "DistributionConfig": {
            "Comment": "",
            "CacheBehaviors": {
                "Quantity": 0
            },
            "Logging": {
                "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
                "Prefix": "cloudconformity",
                "Enabled": true,
                "IncludeCookies": true
            },

            ...

            "Aliases": {
                "Items": [
                    "media.cloudconformity.com"
                ],
                "Quantity": 1
            }
        },
        "ActiveTrustedSigners": {
            "Enabled": false,
            "Quantity": 0
        },
        "LastModifiedTime": "2016-08-26T14:23:10.873Z",
        "Id": "E2RX3E6TS8SFB9"
    },
    "ETag": "E3U5EKI9N4FXZO"
}

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
get-distribution
get-distribution-config
update-distribution
s3api
create-bucket

Publication date Aug 27, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

CloudFront Logging Enabled

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules