CloudFront Logging Disabled
- Query id: de77cd9f-0e8b-46cc-b4a4-b6b436838642
- Query name: CloudFront Logging Disabled
- Platform: CloudFormation
- Severity: Medium
- Category: Observability
- CWE: Ongoing
- URL: Github
Description¶
AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution1:
Type: AWS::CloudFront::Distribution
Properties:
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
ViewerProtocolPolicy: allow-all
DistributionConfig:
Origins:
- DomainName: mybucket.s3.amazonaws.com
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution2:
Type: AWS::CloudFront::Distribution
Properties:
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
ViewerProtocolPolicy: allow-all
DistributionConfig:
Origins:
- DomainName: mybucket.s3.amazonaws.com
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
Logging:
IncludeCookies: 'false'
Bucket: mylogs.amazonaws.com
Prefix: myprefix
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myDistribution1": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DefaultCacheBehavior": {
"AllowedMethods": [
"GET",
"HEAD",
"OPTIONS"
],
"TargetOriginId": "myS3Origin",
"ForwardedValues": {
"QueryString": "false",
"Cookies": {
"Forward": "none"
}
},
"TrustedSigners": [
"1234567890EX"
],
"ViewerProtocolPolicy": "allow-all"
},
"DistributionConfig": {
"Origins": [
{
"DomainName": "mybucket.s3.amazonaws.com",
"Id": "myS3Origin",
"S3OriginConfig": {
"OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
}
}
],
"Enabled": "true",
"Comment": "Some comment",
"DefaultRootObject": "index.html"
}
}
}
}
}
Positive test num. 4 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myDistribution2": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DefaultCacheBehavior": {
"AllowedMethods": [
"GET",
"HEAD",
"OPTIONS"
],
"TargetOriginId": "myS3Origin",
"ForwardedValues": {
"QueryString": "false",
"Cookies": {
"Forward": "none"
}
},
"TrustedSigners": [
"1234567890EX"
],
"ViewerProtocolPolicy": "allow-all"
},
"DistributionConfig": {
"Origins": [
{
"S3OriginConfig": {
"OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
},
"DomainName": "mybucket.s3.amazonaws.com",
"Id": "myS3Origin"
}
],
"Enabled": "true",
"Comment": "Some comment",
"DefaultRootObject": "index.html",
"Logging": {
"IncludeCookies": "false",
"Bucket": "mylogs.amazonaws.com",
"Prefix": "myprefix"
}
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution3:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- DomainName: mybucket.s3.amazonaws.com
Id: myS3Origin
S3OriginConfig:
OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
Enabled: 'true'
Comment: Some comment
DefaultRootObject: index.html
Logging:
IncludeCookies: 'false'
Bucket: mylogs.s3.amazonaws.com
Prefix: myprefix
DefaultCacheBehavior:
AllowedMethods:
- GET
- HEAD
- OPTIONS
TargetOriginId: myS3Origin
ForwardedValues:
QueryString: 'false'
Cookies:
Forward: none
TrustedSigners:
- 1234567890EX
ViewerProtocolPolicy: allow-all
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myDistribution3": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Logging": {
"IncludeCookies": "false",
"Bucket": "mylogs.s3.amazonaws.com",
"Prefix": "myprefix"
},
"Origins": [
{
"DomainName": "mybucket.s3.amazonaws.com",
"Id": "myS3Origin",
"S3OriginConfig": {
"OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
}
}
],
"Enabled": "true",
"Comment": "Some comment",
"DefaultRootObject": "index.html"
}
},
"DefaultCacheBehavior": {
"ForwardedValues": {
"Cookies": {
"Forward": "none"
},
"QueryString": "false"
},
"TrustedSigners": [
"1234567890EX"
],
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": [
"GET",
"HEAD",
"OPTIONS"
],
"TargetOriginId": "myS3Origin"
}
}
}
}