More Info:

Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).

Risk Level

Low

Address

Security

Compliance Standards

SOC2, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Logging Should Be Enabled For CloudFront Distributions” for AWS using AWS console, follow the below steps:
  1. Login to the AWS Management Console and navigate to the CloudFront service.
  2. Click on the CloudFront distribution for which you want to enable logging.
  3. Click on the “Behaviors” tab and select the behavior for which you want to enable logging.
  4. Scroll down to the “Logging” section and click on “Edit”.
  5. Select “Yes” for “Enable Logging”.
  6. Choose the S3 bucket where you want to store the logs.
  7. Enter the prefix for the log files (optional).
  8. Click on “Yes, Edit” to save the changes.
Once you have completed the above steps, logging will be enabled for your CloudFront distribution and all the logs will be stored in the specified S3 bucket.

To remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI, you can follow the below steps:
  1. Open the AWS CLI and run the following command to enable logging for a CloudFront distribution:
aws cloudfront update-distribution --id <distribution-id> --logging-enabled --bucket <S3-bucket-name> --prefix <S3-prefix>
Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to enable logging and replace <S3-bucket-name> and <S3-prefix> with the name of the S3 bucket and prefix where you want to store the logs.
  1. Verify that the logging is enabled for the CloudFront distribution by running the following command:
aws cloudfront get-distribution --id <distribution-id> | grep Logging
Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to verify the logging.
  1. Ensure that the logging is working properly by checking the S3 bucket where the logs are stored.
By following the above steps, you can remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI.
To remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS using Python, you can follow the below steps:
  1. Import the necessary AWS SDK modules for Python:
import boto3
  1. Create an AWS CloudFront client object:
client = boto3.client('cloudfront')
  1. Get a list of all the CloudFront distributions in your AWS account:
distributions = client.list_distributions()
  1. For each distribution, check if logging is enabled or not:
for distribution in distributions['DistributionList']['Items']:
    logging_enabled = distribution['Logging']['Enabled']
    if logging_enabled == False:
        # Logging is not enabled, enable it
        distribution_id = distribution['Id']
        client.update_distribution(
            DistributionConfig={
                'Id': distribution_id,
                'Logging': {
                    'Enabled': True,
                    'IncludeCookies': False,
                    'Bucket': 'your-logging-bucket-name',
                    'Prefix': 'your-logging-prefix'
                },
                'Comment': 'Enable logging for CloudFront distribution'
            },
            IfMatch=distribution['ETag']
        )
  1. Replace ‘your-logging-bucket-name’ and ‘your-logging-prefix’ with the name of the S3 bucket and prefix where you want to store the CloudFront access logs.
  2. Run the Python script to enable logging for all the CloudFront distributions in your AWS account.
This will remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS.

Additional Reading: