AWS CloudFront distribution should have logging enabled

Description

Ensure logging is enabled for AWS CloudFront to track things like client IP addresses and access points.

Rationale

Logging tracks requests made through the CDN. With this information, you can detect changes in requests, complete security audits, and use other AWS tooling such as AWS WAF to block requests from certain IP addresses.

Remediation

From the console

Follow the Configuring and using standard logs docs to enable logging for AWS CloudFront.

From the command line

  1. Run create-bucket to create an S3 bucket for your CloudFront log files.

    create-bucket.sh

        aws s3api create-bucket
            --bucket your-bucket-name
        
  2. Once the S3 bucket location is returned, run get-distribution-config with your AWS CloudFront distribution ID to retrieve your distribution’s configuration information.

    get-distrbution-config.sh

        aws cloudfront get-distribution-config
            --id ID000000000000
        
  3. Create a new JSON file with the returned configuration. Enable logging and set an S3 bucket location (returned in step 1) to configure where the logs will be located. Save the file.

    logging-enabled.json

        {
          "ETag": "ID000000000000",
          "DistributionConfig": {
              ...
              "Logging": {
                "Bucket": "your-bucket-name.s3.amazonaws.com",
                "Enabled": true,
              },
              ...
            }
          }
        }
        
  4. Run update-distribution to update your distribution with your distribution id, the path of the configuration file (created in step 3), and your etag.

    update-distribution.sh

        aws cloudfront update-distribution
            --id ID000000000000
            --distribution-config logging-enabled.json
            --if-match ETAG1000000000