Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- General Data Protection Regulation (GDPR)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The Cloudfront access logs contain detailed information (requested object name, date and time of the access, client IP, access point, error code, etc) about each request made for your web content, information that can be extremely useful during security audits or as input data for various analytics/reporting tools. You can also use this feature in combination with AWS Lambda and AWS WAF to process the logging data and block the requests coming from those IP addresses that generate too many error codes as the requests that generate these errors are often made by attackers trying to find vulnerabilities within your website/web application.
To determine if your Cloudfront CDN distributions have access logging enabled, perform the following:
Remediation / Resolution
To enable access logging for your Cloudfront CDN distributions, perform the following:
- AWS Command Line Interface (CLI) Documentation
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
CloudFront Logging Enabled
Risk level: Medium