Amazon CloudFront

CloudFront Logging Disabled

This plugin ensures that the CloudFront distribution request logging is enabled.

Risk Level: Low

Description: 

This plugin ensures that the CloudFront distribution request logging is enabled. CloudFront Distribution Logging Applications are a helpful way to identify and analyze any attacks, malicious actions, or misuse of backend resources. The logs may be transferred to S3 and examined for further analysis.

PingSafe strongly recommends enabling CloudFront request logging.

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

Impact : 

Disabled logging creates a huge threat because it halts the detection and hinders the investigation of potential attacks, malicious activities, or misuse of backend resources. Hence, an organization can be compromised if  CloudFront Logging is Disabled.

Steps to reproduce :

  1. Log In the AWS Console.
  2. Move to the Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Click on the Edit button in the General tab of Distribution Settings.
  5. Verify if the Logging feature is on or off. If Logging is set to Off: the selected distribution is not tracking any requests made to your web content.



Steps for remediation :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Click on the Edit button in the General tab of Distribution Settings.
  5. Verify if the Logging feature is on or off. If Logging is set to Off, switch it on.

References: