AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Logging Should Be Enabled For CloudFront Distributions
More Info:
Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).
Risk Level
Low
Address
Security
Compliance Standards
SOC2, HITRUST, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Logging Should Be Enabled For CloudFront Distributions” for AWS using AWS console, follow the below steps:
- Login to the AWS Management Console and navigate to the CloudFront service.
- Click on the CloudFront distribution for which you want to enable logging.
- Click on the “Behaviors” tab and select the behavior for which you want to enable logging.
- Scroll down to the “Logging” section and click on “Edit”.
- Select “Yes” for “Enable Logging”.
- Choose the S3 bucket where you want to store the logs.
- Enter the prefix for the log files (optional).
- Click on “Yes, Edit” to save the changes.
Once you have completed the above steps, logging will be enabled for your CloudFront distribution and all the logs will be stored in the specified S3 bucket.
To remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI, you can follow the below steps:
- Open the AWS CLI and run the following command to enable logging for a CloudFront distribution:
aws cloudfront update-distribution --id <distribution-id> --logging-enabled --bucket <S3-bucket-name> --prefix <S3-prefix>
Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to enable logging and replace <S3-bucket-name> and <S3-prefix> with the name of the S3 bucket and prefix where you want to store the logs.
- Verify that the logging is enabled for the CloudFront distribution by running the following command:
aws cloudfront get-distribution --id <distribution-id> | grep Logging
Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to verify the logging.
- Ensure that the logging is working properly by checking the S3 bucket where the logs are stored.
By following the above steps, you can remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI.
To remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS using Python, you can follow the below steps:
- Import the necessary AWS SDK modules for Python:
import boto3
- Create an AWS CloudFront client object:
client = boto3.client('cloudfront')
- Get a list of all the CloudFront distributions in your AWS account:
distributions = client.list_distributions()
- For each distribution, check if logging is enabled or not:
for distribution in distributions['DistributionList']['Items']:
logging_enabled = distribution['Logging']['Enabled']
if logging_enabled == False:
# Logging is not enabled, enable it
distribution_id = distribution['Id']
client.update_distribution(
DistributionConfig={
'Id': distribution_id,
'Logging': {
'Enabled': True,
'IncludeCookies': False,
'Bucket': 'your-logging-bucket-name',
'Prefix': 'your-logging-prefix'
},
'Comment': 'Enable logging for CloudFront distribution'
},
IfMatch=distribution['ETag']
)
- Replace ‘your-logging-bucket-name’ and ‘your-logging-prefix’ with the name of the S3 bucket and prefix where you want to store the CloudFront access logs.
- Run the Python script to enable logging for all the CloudFront distributions in your AWS account.
This will remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS.