Ensure AWS CloudFront distribution with access logging is enabled

Ensure that your AWS Cloudfront distributions logging is enabled. CloudFront distribution logging is used to track all the requests for the content delivered through the Content Delivery Network (CDN) which is helpful during investigation activities and provide audit trail that is used for audit purposes.

Risk Level: Low
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.NET.41
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

CloudFront should have distributionConfig.logging.enabled=true and distributionConfig.logging.bucket like '%.s3.amazonaws.com'

REMEDIATION

From Portal

  1. Login to the AWS Management Console and open CloudFront Distributions Dashboard at https://console.aws.amazon.com/cloudfront/v3/.
  2. Click the reported distribution.
  3. On 'General' tab, click 'Edit' button.
  4. On 'Edit Distribution' page, Set 'Logging' to 'On', select a 'Bucket for Logs' and 'Log Prefix' as desired.
  5. Click 'Save Changes'.

From TF
To enable access logging in AWS CloudFront distribution set the 'logging_config' field :

resource "aws_cloudfront_distribution" "test" {
	origin {
		domain_name = aws_s3_bucket.b.bucket_regional_domain_name
		origin_id   = local.s3_origin_id
		
		s3_origin_config {
			origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
		}
	}
	
	enabled             = true
	is_ipv6_enabled     = true
	default_root_object = "index.html"
	
	+ logging_config {
		+   include_cookies = false
		+   bucket          = "mylogs.s3.amazonaws.com"
		+   prefix          = "myprefix"
	+ }
}

From Command Line
To update the existing cloudfront , run:

aws cloudfront update-distribution --id ID --distribution-config file://FILE.json --if-match E-TAG

NOTE : file://FILE.json is the required configuration of the AWS cloudfront in json.

References

  1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging.html
  2. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
  3. https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-accesslogs-enabled.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset