Logging Should Be Enabled For CloudFront Distributions

More Info:

Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).

Risk Level

Low

Address

Security

Compliance Standards

SOC2, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI and run the following command to enable logging for a CloudFront distribution:

aws cloudfront update-distribution --id <distribution-id> --logging-enabled --bucket <S3-bucket-name> --prefix <S3-prefix>

Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to enable logging and replace <S3-bucket-name> and <S3-prefix> with the name of the S3 bucket and prefix where you want to store the logs.

Verify that the logging is enabled for the CloudFront distribution by running the following command:

aws cloudfront get-distribution --id <distribution-id> | grep Logging

Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to verify the logging.

Ensure that the logging is working properly by checking the S3 bucket where the logs are stored.

By following the above steps, you can remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS using Python, you can follow the below steps:

Import the necessary AWS SDK modules for Python:

import boto3

Create an AWS CloudFront client object:

client = boto3.client('cloudfront')

Get a list of all the CloudFront distributions in your AWS account:

distributions = client.list_distributions()

For each distribution, check if logging is enabled or not:

for distribution in distributions['DistributionList']['Items']:
    logging_enabled = distribution['Logging']['Enabled']
    if logging_enabled == False:
        # Logging is not enabled, enable it
        distribution_id = distribution['Id']
        client.update_distribution(
            DistributionConfig={
                'Id': distribution_id,
                'Logging': {
                    'Enabled': True,
                    'IncludeCookies': False,
                    'Bucket': 'your-logging-bucket-name',
                    'Prefix': 'your-logging-prefix'
                },
                'Comment': 'Enable logging for CloudFront distribution'
            },
            IfMatch=distribution['ETag']
        )

Replace ‘your-logging-bucket-name’ and ‘your-logging-prefix’ with the name of the S3 bucket and prefix where you want to store the CloudFront access logs.
Run the Python script to enable logging for all the CloudFront distributions in your AWS account.

This will remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS.

Additional Reading:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Logging Should Be Enabled For CloudFront Distributions

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: