Description: 

CloudFront speeds up distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance. 


Rationale: 

By enabling CloudFront logging, configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.


Audit:  

Monitoring is an important part of maintaining the availability and performance of CloudFront and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for monitoring your CloudFront resources and activity, and responding to potential incidents:


  • Amazon CloudWatch Alarms
    • Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon SNS topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather the state must have changed and been maintained for a specified number of periods. For more information, see Monitoring CloudFront with Amazon CloudWatch.
  • AWS CloudTrail Logs
    • CloudTrail provides a record of actions taken by a user, role, or an AWS service in CloudFront. Using the information collected by CloudTrail, you can determine the request that was made to CloudFront, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see Using AWS CloudTrail to Capture Requests Sent to the CloudFront API.
  • CloudFront Access Logs
    • Server access logs provide detailed records about requests that are made to a distribution. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. For more information, see Configuring and Using Access Logs.
  • CloudFront Console Reports
    • The CloudFront console includes a variety of reports, including the cache statistics report, the popular objects report, and the top referrers report. Most CloudFront console reports are based on the data in CloudFront access logs, which contain detailed information about every user request that CloudFront receives. However, you don't need to enable access logs to view the reports. For more information, see CloudFront Reports in the Console.

Remediation:

CloudFront logs information about requests for your objects, as illustrated in the previous diagram.


In this diagram, you have two websites, A and B, and two corresponding CloudFront distributions. Users request your objects using URLs that are associated with your distributions.


  • CloudFront routes each request to the appropriate edge location.
  • CloudFront writes data about each request to a log file specific to that distribution. In this example, information about requests related to Distribution A goes into a log file just for Distribution A, and information about requests related to Distribution B goes into a log file just for Distribution B.
  • CloudFront periodically saves the log file for a distribution in the Amazon S3 bucket that you specified when you enabled logging. CloudFront then starts saving information about subsequent requests in a new log file for the distribution.

If no users access your content during a given hour, you don't receive any log files for that hour.


Each entry in a log file gives details about a single request. For more information about log file format, see Log File Format. 


Resources: 

https://docs.aws.amazon.com/cloudfront/?id=docs_gateway

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html