---
title: CloudFront distribution should have logging enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > CloudFront distribution should have
  logging enabled
---

# CloudFront distribution should have logging enabled
 
## Description{% #description %}

Ensure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.

## Rationale{% #rationale %}

Logging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

Follow the [Configuring and using standard logs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#AccessLogsBucketAndFileOwnership) docs to enable logging for AWS CloudFront.

### From the command line{% #from-the-command-line %}

1. Run `create-bucket` to [create an S3 bucket](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/create-bucket.html) for your CloudFront log files.

In the `create-bucket.sh` file:

   ```bash
       aws s3api create-bucket
           --bucket your-bucket-name
       
```

1. Once the S3 bucket location is returned, run `get-distribution-config` with your AWS CloudFront distribution ID to retrieve your [distribution's configuration information](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html).

In the `get-distrbution-config.sh` file:

   ```bash
       aws cloudfront get-distribution-config
           --id ID000000000000
       
```

1. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.

In the `logging-enabled.json` file:

   ```json
       {
         "ETag": "ID000000000000",
         "DistributionConfig": {
             ...
             "Logging": {
               "Bucket": "your-bucket-name.s3.amazonaws.com",
               "Enabled": true,
             },
             ...
           }
         }
       }
       
```

1. Run `update-distribution` to [update your distribution](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html) with your distribution `id`, the path of the configuration file (created in step 3), and your `etag`.

In the `update-distribution.sh` file:

   ```bash
       aws cloudfront update-distribution
           --id ID000000000000
           --distribution-config logging-enabled.json
           --if-match ETAG1000000000
       
```