Cloudfront logging enabled remediation

Using Console

Using CLI

To remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI and run the following command to enable logging for a CloudFront distribution:

aws cloudfront update-distribution --id <distribution-id> --logging-enabled --bucket <S3-bucket-name> --prefix <S3-prefix>

Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to enable logging and replace <S3-bucket-name> and <S3-prefix> with the name of the S3 bucket and prefix where you want to store the logs.

Verify that the logging is enabled for the CloudFront distribution by running the following command:

aws cloudfront get-distribution --id <distribution-id> | grep Logging

Note: Replace <distribution-id> with the ID of the CloudFront distribution for which you want to verify the logging.

Ensure that the logging is working properly by checking the S3 bucket where the logs are stored.

By following the above steps, you can remediate the misconfiguration “Logging should be enabled for CloudFront distributions” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS using Python, you can follow the below steps:

Import the necessary AWS SDK modules for Python:

import boto3

Create an AWS CloudFront client object:

client = boto3.client('cloudfront')

Get a list of all the CloudFront distributions in your AWS account:

distributions = client.list_distributions()

For each distribution, check if logging is enabled or not:

for distribution in distributions['DistributionList']['Items']:
    logging_enabled = distribution['Logging']['Enabled']
    if logging_enabled == False:
        # Logging is not enabled, enable it
        distribution_id = distribution['Id']
        client.update_distribution(
            DistributionConfig={
                'Id': distribution_id,
                'Logging': {
                    'Enabled': True,
                    'IncludeCookies': False,
                    'Bucket': 'your-logging-bucket-name',
                    'Prefix': 'your-logging-prefix'
                },
                'Comment': 'Enable logging for CloudFront distribution'
            },
            IfMatch=distribution['ETag']
        )

Replace ‘your-logging-bucket-name’ and ‘your-logging-prefix’ with the name of the S3 bucket and prefix where you want to store the CloudFront access logs.
Run the Python script to enable logging for all the CloudFront distributions in your AWS account.

This will remediate the misconfiguration of logging not being enabled for CloudFront distributions in AWS.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudfront logging enabled remediation

Triage and Remediation

Remediation