Ensure Cloudfront distribution has Access Logging enabled
CloudFront standard logs/Access logs provide detailed records about every request that's made to a distribution. These logs are useful for many scenarios, including security and access audits. You can configure CloudFront to create log files that contain detailed information about every user request that CloudFront receives.
Risk Level: Low
Cloud Entity: AWS CloudFront Distribution
CloudGuard Rule ID: D9.CFT.LOG.12
Covered by Spectral: Yes
Category: Management Tools
GSL LOGIC
AWS_CloudFront_Distribution should have DistributionConfig.Logging.Bucket
REMEDIATION
From CFT
Supply AWS::CloudFront::Distribution::Logging::Bucket with bucketID
See below example;
Resources:
MyDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
...
Logging:
Bucket: "mybucket.s3.amazonaws.com"
...
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-logging.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsOverview
AWS CloudFront Distribution
A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery. The following topics explain some basics about CloudFront distributions and provide detailed information about the settings you can choose to configure your distributions to meet your business needs
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago