Detections
Analytics

Ensure logging is enabled for AWS CloudFront

MEDIUM

Description

Amazon recommends enabling logging for purposes such as security and access audits. These standard logs can be stored in an Amazon S3 bucket and can later be analyzed by products such as Amazon Athena. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging.html

Remediation

In AWS Console -

  1. Sign in to AWS Console and open the CloudFront Console.
  2. Choose the ID for the distribution that you want to update.
  3. In the General Tab, select Edit.
  4. Under Standard Logging, choose On.
  5. Under S3 bucket, choose a bucket for the logs to be stored. It is recommended to use a separate bucket from any S3 origin to simplify maintenance.
  6. Select Save changes.

In Terraform -

  1. In the aws_cloudfront_distribution resource, ensure the logging_config block is configured with an appropriate bucket.

References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Policy Details

Rule Reference ID: AC_AWS_0548
CSP: AWS
Remediation Available: Yes
Domain: Logging and Monitoring
Resource: aws_cloudfront_distribution
Resource Category: Virtual Network
Resource Type: CloudFront

Frameworks