CloudFront Logging Disabled
- Query id: 7b590235-1ff4-421b-b9ff-5227134be9bb
- Query name: CloudFront Logging Disabled
- Platform: Crossplane
- Severity: Medium
- Category: Observability
- URL: Github
Description¶
AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
logging:
enabled: false
include_cookies: false
bucket: sample.s3.amazonaws.com
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
labels:
cluster: eks
provider: aws
name: cluster-aws
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- base:
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
distributionConfig:
comment: "Crossplane - auto provisioning"
enabled: true
logging:
bucket: sample.s3.amazonaws.com
enabled: false
include_cookies: false
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
region: us-east-1
name: sample-cloudfront
writeConnectionSecretsToNamespace: crossplane-system
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
logging:
enabled: true
include_cookies: false
bucket: sample.s3.amazonaws.com
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-cloudfront
base:
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
logging:
enabled: true
include_cookies: false
bucket: sample.s3.amazonaws.com
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""