Detections
Analytics
4.10 Ensure all AWS-managed web front-end services have access logging enabled
Information
Ensure that access logging is enabled for all AWS-managed web front-end services that terminate or front HTTP(S) traffic, including Amazon CloudFront distributions, Application Load Balancers (ALB), Network Load Balancers (NLB), and Amazon API Gateway REST/HTTP API stages with public endpoints. Access logs must be enabled with delivery to a designated S3 bucket or CloudWatch Logs destination that is protected with appropriate access controls.This control requires logging of request details such as client IP address, timestamp, HTTP method, requested URI, response status code, bytes transferred, and user agent for every request processed by these services. CloudTrail provides management event logging for these resources, but access logs are required to capture the actual HTTP request/response activity at the network edge layers.
AWS-managed web front-end services (CloudFront, ALB/NLB, API Gateway) represent the primary HTTP(S) ingress points into AWS accounts and are the first line of defense against web attacks, reconnaissance, and abuse attempts. CloudTrail logs management actions (create/update/delete) and data events but does not capture the content of HTTP requests/responses or client activity, leaving a critical visibility gap for security monitoring and incident response.
Access logs from these services enable reconstruction of all web traffic, detection of anomalous patterns, forensic analysis of incidents, and compliance proof that internet-facing entry points were monitored. Without these logs, security teams cannot distinguish legitimate traffic from attacks or prove access patterns during audits.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Following instructions enable standard access logging for CloudFront distributions using the AWS Management Console.-
Open the CloudFront console from the AWS Management Console.
-
Click Distributions in the left navigation and click on the Distribution ID needing remediation.
-
Go to the "Logging" tab and click on "Create access log delivery"
- Select "Deliver to" for your preferred location: S3 or CloudWatch log group
- Select the ARN of your log destination resource
- Click on Submit
- Confirm if you see the access log destination in the logging tab
Impact:
Enabling access logging incurs additional storage costs for log delivery and retention, as well as minor configuration overhead for creating dedicated logging buckets, IAM roles, and retention policies. Costs can be managed through lifecycle policies, log sampling, and tiered storage classes.
See Also
Item Details
Audit Name: CIS Amazon Web Services Foundations v7.0.0 L1
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-2, 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12
Plugin: amazon_aws
Control ID: d9b04dad384bbce3a42a20715e942b8b5c5a1a2c1e9708688611559eae2632b6