AWS CloudFront distribution with access logging disabled
Description
Cloudfront access logs contain detailed information (requested object name, date and time of the access, client IP, access point, error code, etc) about each request made for your web content. This information can be extremely useful during security audits, or as input data for various analytics/reporting tools. Pairing with Lambda and WAF logs could help expedite a response process and possibly enable blocking requests coming from IP addresses that generate multiple errors. These spikes in errors could possibly indicate they were made by attackers trying to find vulnerabilities within your web application.
Code Example
{
" {
"ETag": "ETAGID001",
"DistributionConfig": {
...
"Logging": {
"Bucket": "cloudfront-logging.s3.amazonaws.com",
"Enabled": true,
},
}
}
}
",
}Remediation
- AWS Cloud Front Console Procedure:*
. Log in to the AWS Management Console at [https://console.aws.amazon.com/].
. Open the https://console.aws.amazon.com/cloudfront/home [AMazon CloudFront console].
. Select a * CloudFront Distribution* that is missing access logging.
. From the menu, click * Distribution Settings* to get into the configuration page.
. From the * General* tab on the top menu, click * Edit*.
. In * Distribution Settings* tab scroll down and verify the * Logging* feature configuration status. + If Logging is Off then it cannot create log files that contain detailed information about every user request that CloudFront receives.
. Click * ON* to initiate the Logging feature of CloudFront to log all viewer requests for files in your distribution.
- CLI Command*
. Create an S3 bucket to store your access logs.
. Create a JSON file to enable logging and set an S3 bucket location to configure a destination for logs files. +
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0139 |
| Severity | INFO |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform, TerraformPlan, Serverless |
| Checkov ID | CKV_AWS_86 |