Description: 

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront speeds up distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance. 


Rationale: 

By enabling CloudFront logging, configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. It also helps in detecting and investigating potential attacks, malicious activity, or misuse of backend resources.


Impact:

Enabling this feature will support compliance standards such as SOC, PCI, FedRAMP, HIPAA. 

Enabling the CloudFront feature protects sensitive data fields in requests at the AWS network edge.


Default Value:

By default, in a CloudFront Distribution Standard logs and Real-time logs are not enabled by default.


Audit: 

  • Check if Standard logs are enabled

  1. Log in to the AWS Console in the region where you have deployed your CloudFront Distribution

  2. Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home

  3. In the left panel, click on Logs

  4. In the Distribution Tab, if the Real-Time logs are in a Disabled state, it means that the CloudFront Distribution doesn't have Real-Time logs enabled in that region

  5. Repeat steps 1 to 4 for all the CloudFront Distribution in all regions.


  • Check if Real-Time logs are enabled

  1. Log in to the AWS Console in the region where you have deployed your CloudFront Distribution

  2. Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home

  3. In the left panel, click on Logs 

  4. In the Distribution Tab, if the Real-Time logs are in a Disabled state, it means that the CloudFront Distribution doesn't have Real-Time logs enabled in that region

  5. Repeat steps 1 to 4 for all the CloudFront Distribution in every region


Remediation:

Pre-Requisite:

  • When you enable logging for distribution, you specify the Amazon S3 bucket that you want CloudFront to store log files in. If you’re using Amazon S3 as your origin, we recommend that you don’t use the same bucket for your log files; using a separate bucket simplifies maintenance.

  • Don’t choose an Amazon S3 bucket in any of the following Regions, because CloudFront doesn’t deliver access logs to buckets in these Regions:

    • Africa (Cape Town)  af-south-1

    • Asia Pacific (Hong Kong)  ap-east-1

    • Europe (Milan)  eu-south-1

    • Middle East (Bahrain)  me-south-1

Implementation Steps:

  • To enable Standard logs

  1. Log in to the AWS Console in the region where you have deployed your CloudFront Distribution

  2. Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home

  3. In the dashboard, and choose the CloudFront Distribution you want to enable Standard Logs

  4. Click on Edit in the Standard Logs Section

  5. Go to Edit standard logs, change the Disabled to Enable and click on update button


  • To enable Real-Time logs

  1. Log in to the AWS Console in the region where you have deployed your CloudFront Distribution

  2. Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home

  3. Click on Create configuration in Real-time log configuration tab

  4. Set the settings for real-time log configuration and click Create configuration.


Backout Plan:

  • To disable Standard logs

  1. Log in to the AWS Console in the region where you have deployed your CloudFront Distribution

  2. Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home

  3. In the dashboard, and choose the CloudFront Distribution you want to disable Standard Logs

  4. Click on Edit in the Standard Logs Section

  5. Go to Edit standard logs and change the Enabled to Disabled  

  6. Repeating the step 1 to 5 for every CloudFront Distribution in your AWS account.

  • To disable Real-Time logs

  1. Log in to the AWS Console in the region where you have deployed your CloudFront Distribution

  2. Open the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/home

  3. Select Real-time log configuration and click on Delete


Note:

There are two types of logs in CloudFront

  • Standard logs (access logs)

    • CloudFront standard logs provide detailed records about every request that’s made to a distribution. These logs are useful for many scenarios, including security and access audits.CloudFront standard logs are delivered to the Amazon S3 bucket of your choice. It doesn’t charge for standard logs, though you incur Amazon S3 charges for storing and accessing the log files.

  • Real-time logs

    • CloudFront real-time logs provide information about requests made to distribution, in real-time (log records are delivered within seconds of receiving the requests). You can choose the sampling rate for your real-time logs—that is, the percentage of requests for which you want to receive real-time log records. You can also choose the specific fields that you want to receive in the log records. CloudFront real-time logs are delivered to the data stream of your choice in Amazon Kinesis Data Streams. CloudFront charges for real-time logs, in addition to the charges you incur for using Kinesis Data Streams.


Resources: 

https://docs.aws.amazon.com/cloudfront/?id=docs_gateway

Configuring and using standard logs (access logs) - Amazon CloudFront