This rule ensures that CloudFront distributions have logging enabled for enhanced security.
Rule | CloudFront distributions should have logging enabled |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Medium |
Rule Description
The AWS Foundational Security Best Practices recommend enabling logging for your CloudFront distributions to enhance your security posture. CloudFront is a global content delivery network (CDN) service provided by AWS, and enabling logging allows you to capture detailed information about the requests made to your CloudFront distributions.
Troubleshooting Steps
If you encounter any issues while enabling logging for CloudFront distributions, follow these troubleshooting steps:
Check IAM Permissions: Ensure that you have the necessary permissions to enable logging for CloudFront distributions. You need the
CloudFrontFullAccess
or CloudFrontReadOnlyAccess
IAM policy attached to your user, role, or group.Confirm Distribution State: Verify that the CloudFront distribution is in the correct state. Logging can only be enabled for distributions in the "Enabled" state. If the distribution is in a different state, you must first update it to "Enabled".
Validate S3 Bucket Permissions: Ensure that the S3 bucket where you want to store the CloudFront logs has the required permissions. Verify that the bucket policy allows
s3:PutObject
actions for the CloudFront service principal.Check S3 Bucket Name: Double-check that the S3 bucket name is correctly specified. Ensure that the bucket exists, and you have the necessary permissions to access and write to it.
Necessary Codes
There are no specific codes required for this CloudFront logging policy. However, you can utilize AWS CLI commands to enable logging, as described in the next section.
Step-by-Step Guide for Remediation
Follow the step-by-step guide below to enable CloudFront logging using AWS Management Console:
Sign in to the AWS Management Console: Navigate to the AWS Management Console and sign in to your AWS account.
Open CloudFront Service: Open the CloudFront service by searching for "CloudFront" in the search bar at the top of the screen and selecting the appropriate result.
Select Distribution: From the list of CloudFront distributions, choose the distribution for which you want to enable logging by clicking on its ID or name.
Go to Distribution Settings: In the distribution details page, click on the "Distribution Settings" tab.
Navigate to Access Logs: Scroll down to the "Access Logs" section and click on the "Edit" button.
Enable Logging: In the "Access Logs" settings, click on the toggle switch to enable logging.
Specify S3 Bucket: Enter the destination S3 bucket name in the "Bucket" field. Make sure to provide a valid existing bucket name that you have access to.
Specify Optional Prefix: You can optionally specify a prefix for the log files by entering a value in the "Prefix" field. This helps organize and search for log files within the specified S3 bucket.
Choose Logging Options: Select the desired logging options such as "Include Cookies" and "Additional Fields". These options allow you to capture additional information in the logs if required.
Save Changes: Click on the "Yes, Edit" button to save the changes and enable logging for the CloudFront distribution.
Wait for Deployment: The changes may take a few minutes to propagate and be applied to your CloudFront distribution. Monitor the distribution's status for the changes to reflect.
Once logging is enabled, CloudFront will start delivering log files to the specified S3 bucket. You can analyze the logs for security analysis and operational insights.
Conclusion
Enabling logging for CloudFront distributions aligns with the AWS Foundational Security Best Practices. Following the provided guide, you can ensure that you have comprehensive logs to aid in security investigations or operational analysis within your AWS environment.