CloudFront Logging Disabled

  • Query id: 7b590235-1ff4-421b-b9ff-5227134be9bb
  • Query name: CloudFront Logging Disabled
  • Platform: Crossplane
  • Severity: Medium
  • Category: Observability
  • URL: Github

Description

AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging' must be defined with 'enabled' set to true
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
  name: sample-distribution
spec:
  forProvider:
    region: us-east-1
    distributionConfig:
      enabled: true
      comment: Crossplane - auto provisioning
      logging:
        enabled: false
        include_cookies: false
        bucket: sample.s3.amazonaws.com
      origins:
        items:
          - domainName: sample.s3.amazonaws.com
            id: s3Origin
            s3OriginConfig:
              originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  labels:
    cluster: eks
    provider: aws
  name: cluster-aws
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  patchSets:
    - name: metadata
      patches:
        - fromFieldPath: metadata.labels
  resources:
    - base:
        apiVersion: cloudfront.aws.crossplane.io/v1alpha1
        kind: Distribution
        metadata:
          name: sample-distribution
        spec:
          forProvider:
            distributionConfig:
              comment: "Crossplane - auto provisioning"
              enabled: true
              logging:
                bucket: sample.s3.amazonaws.com
                enabled: false
                include_cookies: false
              origins:
                items:
                  - domainName: sample.s3.amazonaws.com
                    id: s3Origin
                    s3OriginConfig:
                      originAccessIDentity: ""
            region: us-east-1
      name: sample-cloudfront
  writeConnectionSecretsToNamespace: crossplane-system

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
  name: sample-distribution
spec:
  forProvider:
    region: us-east-1
    distributionConfig:
      enabled: true
      comment: Crossplane - auto provisioning
      logging:
        enabled: true
        include_cookies: false
        bucket: sample.s3.amazonaws.com
      origins:
        items:
          - domainName: sample.s3.amazonaws.com
            id: s3Origin
            s3OriginConfig:
              originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
  - name: metadata
    patches:
    - fromFieldPath: metadata.labels
  resources:
    - name: sample-cloudfront
      base: 
        apiVersion: cloudfront.aws.crossplane.io/v1alpha1
        kind: Distribution
        metadata:
          name: sample-distribution
        spec:
          forProvider:
            region: us-east-1
            distributionConfig:
              enabled: true
              comment: Crossplane - auto provisioning
              logging:
                enabled: true
                include_cookies: false
                bucket: sample.s3.amazonaws.com
              origins:
                items:
                  - domainName: sample.s3.amazonaws.com
                    id: s3Origin
                    s3OriginConfig:
                      originAccessIDentity: ""