Plugin Title CloudFront Logging Enabled
Cloud AWS
Category CloudFront
Description Ensures CloudFront distributions have request logging enabled.
More Info Logging requests to CloudFront distributions is a helpful way of detecting and investigating potential attacks, malicious activity, or misuse of backend resources. Logs can be sent to S3 and processed for further analysis.
AWS Link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
Recommended Action Enable CloudFront request logging.


Detailed Remediation Steps

  1. Log into to the AWS Management Console.
  2. Select the "Services" option and search for CloudFront.
  3. Select the "CloudFront Distribution" that needs to be verified.
  4. Click the "Distribution Settings" button from menu to get into the "CloudFront Distribution" configuration page.
  5. Click the "Edit" button from the "General" tab on the top menu.
  6. In the "Distribution Settings" tab scroll down and verify the "Logging" feature configuration status. If Logging is "Off" then it cannot create log files that contain detailed information about every user request that CloudFront receives.
  7. Click on the "ON" option to initiate the Logging feature of CloudFront to log all viewer requests for files in your distribution.
  8. Click on "Bucket for Logs" feature and specify the Amazon S3 bucket in which you want CloudFront to save web access logs.
  9. Click on Log Prefix which is optional for the names of log files.
  10. Scroll down and click on "Yes,Edit" to save the changes.
  11. Repeat the steps number 5 and 6 to establish any other "CloudFront Distribution" has Logging enabled or not.

Want to scan for this risk automatically?

Get Started Now