CloudFront Logging Disabled

  • Query id: de77cd9f-0e8b-46cc-b4a4-b6b436838642
  • Query name: CloudFront Logging Disabled
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Observability
  • CWE: Ongoing
  • URL: Github

Description

AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'DistributionConfig.Logging' should be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution1:
    Type: AWS::CloudFront::Distribution
    Properties:
      DefaultCacheBehavior:
        AllowedMethods:
        - GET
        - HEAD
        - OPTIONS
        TargetOriginId: myS3Origin
        ForwardedValues:
          QueryString: 'false'
          Cookies:
            Forward: none
        TrustedSigners:
        - 1234567890EX
        ViewerProtocolPolicy: allow-all
      DistributionConfig:
        Origins:
        - DomainName: mybucket.s3.amazonaws.com
          Id: myS3Origin
          S3OriginConfig:
            OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
        Enabled: 'true'
        Comment: Some comment
        DefaultRootObject: index.html
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution2:
    Type: AWS::CloudFront::Distribution
    Properties:
      DefaultCacheBehavior:
        AllowedMethods:
        - GET
        - HEAD
        - OPTIONS
        TargetOriginId: myS3Origin
        ForwardedValues:
          QueryString: 'false'
          Cookies:
            Forward: none
        TrustedSigners:
        - 1234567890EX
        ViewerProtocolPolicy: allow-all
      DistributionConfig:
        Origins:
        - DomainName: mybucket.s3.amazonaws.com
          Id: myS3Origin
          S3OriginConfig:
            OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
        Enabled: 'true'
        Comment: Some comment
        DefaultRootObject: index.html
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.amazonaws.com
          Prefix: myprefix
Positive test num. 3 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution1": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DefaultCacheBehavior": {
          "AllowedMethods": [
            "GET",
            "HEAD",
            "OPTIONS"
          ],
          "TargetOriginId": "myS3Origin",
          "ForwardedValues": {
            "QueryString": "false",
            "Cookies": {
              "Forward": "none"
            }
          },
          "TrustedSigners": [
            "1234567890EX"
          ],
          "ViewerProtocolPolicy": "allow-all"
        },
        "DistributionConfig": {
          "Origins": [
            {
              "DomainName": "mybucket.s3.amazonaws.com",
              "Id": "myS3Origin",
              "S3OriginConfig": {
                "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
              }
            }
          ],
          "Enabled": "true",
          "Comment": "Some comment",
          "DefaultRootObject": "index.html"
        }
      }
    }
  }
}

Positive test num. 4 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution2": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DefaultCacheBehavior": {
          "AllowedMethods": [
            "GET",
            "HEAD",
            "OPTIONS"
          ],
          "TargetOriginId": "myS3Origin",
          "ForwardedValues": {
            "QueryString": "false",
            "Cookies": {
              "Forward": "none"
            }
          },
          "TrustedSigners": [
            "1234567890EX"
          ],
          "ViewerProtocolPolicy": "allow-all"
        },
        "DistributionConfig": {
          "Origins": [
            {
              "S3OriginConfig": {
                "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
              },
              "DomainName": "mybucket.s3.amazonaws.com",
              "Id": "myS3Origin"
            }
          ],
          "Enabled": "true",
          "Comment": "Some comment",
          "DefaultRootObject": "index.html",
          "Logging": {
            "IncludeCookies": "false",
            "Bucket": "mylogs.amazonaws.com",
            "Prefix": "myprefix"
          }
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution3:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
        - DomainName: mybucket.s3.amazonaws.com
          Id: myS3Origin
          S3OriginConfig:
            OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
        Enabled: 'true'
        Comment: Some comment
        DefaultRootObject: index.html
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix
    DefaultCacheBehavior:
      AllowedMethods:
      - GET
      - HEAD
      - OPTIONS
      TargetOriginId: myS3Origin
      ForwardedValues:
        QueryString: 'false'
        Cookies:
          Forward: none
      TrustedSigners:
      - 1234567890EX
      ViewerProtocolPolicy: allow-all
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution3": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Logging": {
            "IncludeCookies": "false",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Origins": [
            {
              "DomainName": "mybucket.s3.amazonaws.com",
              "Id": "myS3Origin",
              "S3OriginConfig": {
                "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
              }
            }
          ],
          "Enabled": "true",
          "Comment": "Some comment",
          "DefaultRootObject": "index.html"
        }
      },
      "DefaultCacheBehavior": {
        "ForwardedValues": {
          "Cookies": {
            "Forward": "none"
          },
          "QueryString": "false"
        },
        "TrustedSigners": [
          "1234567890EX"
        ],
        "ViewerProtocolPolicy": "allow-all",
        "AllowedMethods": [
          "GET",
          "HEAD",
          "OPTIONS"
        ],
        "TargetOriginId": "myS3Origin"
      }
    }
  }
}