5.3 Ensure AWS Cloudfront Logging is enabled


Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately. If the content is not currently in that edge location, CloudFront retrieves it from a customer defined Origin, such as AWS S3, AWS ELB or EC2.
Access logs are activity records that show you detailed information about each request made for your content. These logs can be used for security analysis regarding vulnerability and availability threats


Using the Amazon unified command line interface:

* For enabling logging first save locally the current distribution config:

aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "DistributionConfig" > /tmp/cf-distribution.json

* Edit and replace "Logging" element in /tmp/cf-distribution.json with the below section:

"Logging": {
"Bucket": "<s3_bucket_name>",
"Prefix": "cloudfrontlogs",
"Enabled": true,
"IncludeCookies": false

* Retrieve the current ETag of your CloudFront distribution:

aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "ETag"

* Update the CloudFront distribution using the edited config and the above Etag:

aws cloudfront update-distribution --id <application_cfn_distribution_id> --distribution-config file:///tmp/cf-distribution.json --if-match <application_cfn_distribution_etag>

See Also


Item Details


References: 800-53|AU-12c.

Plugin: amazon_aws

Control ID: 04a557b7a13cfb052edeccb778ef28e0024d38f7d9dc0f8ddad1cd8787181721