For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-cloudfront-logging-disabled.md.
A documentation index is available at /llms.txt.
CloudFront distributions must have access logging enabled to record viewer requests for incident investigation and auditing. Without logs, you cannot reliably detect abuse, investigate incidents, or meet audit requirements.
For Ansible CloudFront distribution resources (modules community.aws.cloudfront_distribution and cloudfront_distribution), the logging property must be defined and logging.enabled set to true. Tasks missing logging or with logging.enabled: false are flagged. Ensure a valid S3 bucket is specified in logging.bucket as the log destination.
Secure configuration example:
- name:Create CloudFront distribution with logging enabledcommunity.aws.cloudfront_distribution:origin:- id:my-origindomain_name:origin.example.comenabled:yeslogging:enabled:truebucket:my-log-bucket.s3.amazonaws.cominclude_cookies:false
Compliant Code Examples
- name:create a distribution with an origin, logging and default cache behaviorcommunity.aws.cloudfront_distribution:state:presentcaller_reference:unique test distribution IDorigins:- id:my test origin-000111domain_name:www.example.comorigin_path:/productioncustom_headers:- header_name:MyCustomHeaderNameheader_value:MyCustomHeaderValuedefault_cache_behavior:target_origin_id:my test origin-000111forwarded_values:query_string:truecookies:forward:allheaders:- '*'viewer_protocol_policy:allow-allsmooth_streaming:truecompress:trueallowed_methods:items:- GET- HEADcached_methods:- GET- HEADlogging:enabled:trueinclude_cookies:falsebucket:mylogbucket.s3.amazonaws.comprefix:myprefix/enabled:falsecomment:this is a CloudFront distribution with logging
Non-Compliant Code Examples
- name:create a distribution with an origin, logging and default cache behaviorcommunity.aws.cloudfront_distribution:state:presentcaller_reference:unique test distribution IDorigins:- id:'my test origin-000111'domain_name:www.example.comorigin_path:/productioncustom_headers:- header_name:MyCustomHeaderNameheader_value:MyCustomHeaderValuedefault_cache_behavior:target_origin_id:'my test origin-000111'forwarded_values:query_string:truecookies:forward:allheaders:- '*'viewer_protocol_policy:allow-allsmooth_streaming:truecompress:trueallowed_methods:items:- GET- HEADcached_methods:- GET- HEADenabled:falsecomment:this is a CloudFront distribution with logging- name:create a second distribution with an origin, logging and default cache behaviorcommunity.aws.cloudfront_distribution:state:presentcaller_reference:unique test distribution IDorigins:- id:'my test origin-000111'domain_name:www.example.comorigin_path:/productioncustom_headers:- header_name:MyCustomHeaderNameheader_value:MyCustomHeaderValuedefault_cache_behavior:target_origin_id:'my test origin-000111'forwarded_values:query_string:truecookies:forward:allheaders:- '*'viewer_protocol_policy:allow-allsmooth_streaming:truecompress:trueallowed_methods:items:- GET- HEADcached_methods:- GET- HEADlogging:enabled:falseinclude_cookies:falsebucket:mylogbucket.s3.amazonaws.comprefix:myprefix/enabled:falsecomment:this is a CloudFront distribution with logging
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
