Description:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront speeds up distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance.
Rationale:
By enabling CloudFront logging, configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. It also helps in detecting and investigating potential attacks, malicious activity, or misuse of backend resources.
Impact:
Enabling this feature will support compliance standards such as SOC, PCI, FedRAMP, HIPAA.
Enabling the CloudFront feature protects sensitive data fields in requests at the AWS network edge.
Default Value:
By default, in a CloudFront Distribution Standard logs and Real-time logs are not enabled.
Pre-Requisite:
When you enable logging for distribution, you specify the Amazon S3 bucket that you want CloudFront to store log files in. If you’re using Amazon S3 as your origin, we recommend that you don’t use the same bucket for your log files; using a separate bucket simplifies maintenance.
Don’t choose an Amazon S3 bucket in any of the following Regions, because CloudFront doesn’t deliver access logs to buckets in these Regions:
Africa (Cape Town) af-south-1
Asia Pacific (Hong Kong) ap-east-1
Europe (Milan) eu-south-1
Middle East (Bahrain) me-south-1
Remediation:
Test Plan:
Check if Standard logs are enabled
Log in to the AWS Console in the region where you have deployed your CloudFront Distribution
Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home
In the left panel, click on Logs
In the Distribution Tab, if the Real-Time logs are Disabled, it means that the CloudFront Distribution doesn't have Real-Time logs enabled in that region
Repeat steps 1 to 4 for all the CloudFront Distribution in all regions.
Check if Real-Time logs are enabled
Log in to the AWS Console in the region where you have deployed your CloudFront Distribution
Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home
In the left panel, click on Logs
In the Distribution Tab, if the Real-Time logs are Disabled, it means that the CloudFront Distribution doesn't have Real-Time logs enabled in that region
Repeat steps 1 to 4 for all the CloudFront Distribution in every region
Implementation Steps:
To enable Standard logs
Log in to the AWS Console in the region where you have deployed your CloudFront Distribution
Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home
In the dashboard, and choose the CloudFront Distribution you want to enable Standard Logs
Click on Edit in the Standard Logs Section
Go to Edit standard logs, change the Disabled to Enable, and click on the update button
To enable Real-Time logs
Log in to the AWS Console in the region where you have deployed your CloudFront Distribution
Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home
Click on Create configuration in the Real-time log configuration tab
Set the settings for real-time log configuration and click Create configuration.
Using AWS CLI:
- Run create-bucket command to create the S3 bucket that will store your Cloudfront distribution(s) log files
aws s3api create-bucket --bucket aws-cf-access-logs --region us-east-1
- Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from your Cloudfront distribution.
aws cloudfront get-distribution-config --id E2RX3E6TS8SFB9
Run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution.
aws cloudfront update-distribution --id E2RX3E6TS8SFB9 --distribution-config file://distconfig-logging-enabled.json --if-match E3U5EKI9N4FXZO
To disable Standard logs
Log in to the AWS Console in the region where you have deployed your CloudFront Distribution
Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home
In the dashboard, and choose the CloudFront Distribution you want to disable Standard Logs
Click on Edit in the Standard Logs Section
Go to Edit standard logs and change the Enabled to Disabled
Repeating step 1 to 5 for every CloudFront Distribution in your AWS account.
To disable Real-Time logs
Log in to the AWS Console in the region where you have deployed your CloudFront Distribution
Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home
Select Real-time log configuration and click on Delete
Note:
There are two types of logs in CloudFront
Standard logs (access logs)
CloudFront standard logs provide detailed records about every request that’s made to a distribution. These logs are useful for many scenarios, including security and access audits.CloudFront standard logs are delivered to the Amazon S3 bucket of your choice. It doesn’t charge for standard logs, though you incur Amazon S3 charges for storing and accessing the log files.
Real-time logs
CloudFront real-time logs provide information about requests made to distribution, in real-time (log records are delivered within seconds of receiving the requests). You can choose the sampling rate for your real-time logs—that is, the percentage of requests for which you want to receive real-time log records. You can also choose the specific fields that you want to receive in the log records. CloudFront real-time logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams. CloudFront charges for real-time logs, in addition to the charges you incur for using Kinesis Data Streams.
Resources:
https://docs.aws.amazon.com/cloudfront/?id=docs_gateway
Configuring and using standard logs (access logs) - Amazon CloudFront