For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cloudfront-logging-disabled.md. A documentation index is available at /llms.txt.

CloudFront logging disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-cloudfront-logging-disabled

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Observability

Learn More

Description

CloudFront distributions must have access logging enabled so viewer requests are captured for incident investigation and traffic analysis. Without logs, you cannot audit access patterns, investigate abuse, or troubleshoot delivery problems.

For AWS::CloudFront::Distribution resources, DistributionConfig.Logging must be defined when the distribution is enabled (that is, DistributionConfig.Enabled is not set to false).

The logging configuration must include a Bucket value that points to an Amazon S3 bucket using the S3 domain suffix (it must end with .s3.amazonaws.com). Resources missing Logging or with a Bucket that does not end with .s3.amazonaws.com will be flagged.

Secure configuration example:

MyDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Enabled: true
      Logging:
        Bucket: my-log-bucket.s3.amazonaws.com
        IncludeCookies: false
        Prefix: access-logs/
      # ... other distribution settings ...

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution3:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
        - DomainName: mybucket.s3.amazonaws.com
          Id: myS3Origin
          S3OriginConfig:
            OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
        Enabled: 'true'
        Comment: Some comment
        DefaultRootObject: index.html
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix
    DefaultCacheBehavior:
      AllowedMethods:
      - GET
      - HEAD
      - OPTIONS
      TargetOriginId: myS3Origin
      ForwardedValues:
        QueryString: 'false'
        Cookies:
          Forward: none
      TrustedSigners:
      - 1234567890EX
      ViewerProtocolPolicy: allow-all

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution3": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Logging": {
            "IncludeCookies": "false",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Origins": [
            {
              "DomainName": "mybucket.s3.amazonaws.com",
              "Id": "myS3Origin",
              "S3OriginConfig": {
                "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
              }
            }
          ],
          "Enabled": "true",
          "Comment": "Some comment",
          "DefaultRootObject": "index.html"
        }
      },
      "DefaultCacheBehavior": {
        "ForwardedValues": {
          "Cookies": {
            "Forward": "none"
          },
          "QueryString": "false"
        },
        "TrustedSigners": [
          "1234567890EX"
        ],
        "ViewerProtocolPolicy": "allow-all",
        "AllowedMethods": [
          "GET",
          "HEAD",
          "OPTIONS"
        ],
        "TargetOriginId": "myS3Origin"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution1:
    Type: AWS::CloudFront::Distribution
    Properties:
      DefaultCacheBehavior:
        AllowedMethods:
        - GET
        - HEAD
        - OPTIONS
        TargetOriginId: myS3Origin
        ForwardedValues:
          QueryString: 'false'
          Cookies:
            Forward: none
        TrustedSigners:
        - 1234567890EX
        ViewerProtocolPolicy: allow-all
      DistributionConfig:
        Origins:
        - DomainName: mybucket.s3.amazonaws.com
          Id: myS3Origin
          S3OriginConfig:
            OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
        Enabled: 'true'
        Comment: Some comment
        DefaultRootObject: index.html

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution2:
    Type: AWS::CloudFront::Distribution
    Properties:
      DefaultCacheBehavior:
        AllowedMethods:
        - GET
        - HEAD
        - OPTIONS
        TargetOriginId: myS3Origin
        ForwardedValues:
          QueryString: 'false'
          Cookies:
            Forward: none
        TrustedSigners:
        - 1234567890EX
        ViewerProtocolPolicy: allow-all
      DistributionConfig:
        Origins:
        - DomainName: mybucket.s3.amazonaws.com
          Id: myS3Origin
          S3OriginConfig:
            OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
        Enabled: 'true'
        Comment: Some comment
        DefaultRootObject: index.html
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.amazonaws.com
          Prefix: myprefix

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution1": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DefaultCacheBehavior": {
          "AllowedMethods": [
            "GET",
            "HEAD",
            "OPTIONS"
          ],
          "TargetOriginId": "myS3Origin",
          "ForwardedValues": {
            "QueryString": "false",
            "Cookies": {
              "Forward": "none"
            }
          },
          "TrustedSigners": [
            "1234567890EX"
          ],
          "ViewerProtocolPolicy": "allow-all"
        },
        "DistributionConfig": {
          "Origins": [
            {
              "DomainName": "mybucket.s3.amazonaws.com",
              "Id": "myS3Origin",
              "S3OriginConfig": {
                "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
              }
            }
          ],
          "Enabled": "true",
          "Comment": "Some comment",
          "DefaultRootObject": "index.html"
        }
      }
    }
  }
}