Profile Applicability:

  • Level 1


Description:

This control ensures that Amazon CloudFront distributions have access logging enabled. CloudFront access logs provide detailed records of every request made to your distribution, including information such as request time, source IP, URI, user agent, and response code. These logs are invaluable for security monitoring, troubleshooting, and auditing user activity.


Rationale:

Enabling CloudFront logging allows organizations to monitor traffic patterns, detect anomalies, and investigate security incidents. Logs help identify malicious requests, DDoS attempts, and data exfiltration activities. They also support compliance with auditing and monitoring requirements in frameworks such as SOC 2, ISO 27001, HIPAA, GDPR, and CIS AWS Foundations Benchmark. Without logging, organizations lack visibility into CDN-level activity, making it harder to detect and respond to potential security threats.


Impact:

  • Positive Impact:Provides detailed insights into content delivery requests and user activity.Supports forensic investigations and incident response.Helps meet audit and compliance requirements for monitoring and accountability.
  • Negative Impact:Increases S3 storage costs due to accumulation of log files.Slight delay in log delivery (typically within 1–2 hours after requests).


Default Value:

By default, CloudFront access logging is disabled. It must be explicitly enabled in each distribution configuration.


Pre-Requisite:

  • IAM permissions required: cloudfront:GetDistributionConfig, cloudfront:UpdateDistribution, and s3:PutBucketAcl.

  • An existing S3 bucket to store access logs (preferably a dedicated logging bucket).


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudFront → Distributions.

  3. Select a distribution and choose the General tab.

  4. Scroll down to Settings → Logging.

  5. Verify that:

    • Logging is set to Enabled.

    • A valid S3 bucket is specified as the destination for logs.

    • An optional log prefix is configured (recommended for organization).

  6. If logging is Disabled, the distribution is non-compliant.


Implementation Plan 

Using AWS Console:

  1. Navigate to Amazon CloudFront → Distributions.

  2. Select the target distribution and click Edit under the Settings section.

  3. Under Logging, enable the option On or Enable logging.

  4. Specify a destination S3 bucket to store access logs.

    • Best practice: Use a dedicated S3 bucket with restricted permissions.

  5. (Optional) Specify a log prefix to easily identify logs related to this distribution (e.g., cloudfront-logs/).

  6. Click Save changes to apply the configuration.

  7. Repeat these steps for all CloudFront distributions.



Backout Plan:

Using AWS Console:

  1. If S3 storage costs or data volume become excessive, logging can be temporarily disabled:

    • Navigate to CloudFront → Distributions → Edit Settings → Logging, and turn Logging off.

  2. Alternatively, configure an S3 lifecycle policy to automatically archive or delete older log files rather than disabling logging.


References: