cloud/aws/cloudfront/cloudfront-logging-disabled.yaml

id: cloudfront-logging-disabled

info:
  name: Cloudfront Logging Disabled
  author: DhiyaneshDK
  severity: medium
  description: |
    Ensure that access (standard) logging is enabled for your Amazon CloudFront distributions in order to track all viewer requests for the web content delivered through the Content Delivery Network (CDN).
  impact: |
    Disabling CloudFront logging reduces visibility into traffic patterns, hinders incident response and forensic analysis, compromises compliance efforts, and limits troubleshooting capabilities, increasing security risks.
  remediation: |
    Enable encryption for all existing EBS volumes and ensure that all new volumes created are configured to use encryption by default. Additionally, update any snapshots to be encrypted and use AWS Key Management Service (KMS) to manage encryption keys securely.
  reference:
    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-logging-enabled.html
    - http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
  tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config

variables:
  region: "us-west-2"

flow: |
  code(1)
  for(let DistributionListItemsId of iterate(template.distributions)){
    set("distribution", DistributionListItemsId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash

    source: |
      aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json

    extractors:
      - type: json
        name: distributions
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash

    source: |
        aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Logging.Enabled' --region $region --output text

    matchers:
      - type: word
        words:
          - "False"

    extractors:
      - type: dsl
        dsl:
          - '"Cloudfront Logging " + distribution + " is Disabled"'
# digest: 4a0a0047304502200285c729ba0b638126b679fa50d620ddaa0c8ccf98e7fb0d5292f8f7f544746c022100e46eb51abb3cb736a33c0648ff14957f1285349c4e4f5bc69dc2ad222e1dc07b:922c64590222798bb761d5b6d8e72950
AWS - Cloudfront 2024-10-18 08:10:08 +05:30			`id: cloudfront-logging-disabled`

			`info:`
			`name: Cloudfront Logging Disabled`
			`author: DhiyaneshDK`
			`severity: medium`
			`description: \|`
fix-trail-space 2024-10-18 08:17:46 +05:30			`Ensure that access (standard) logging is enabled for your Amazon CloudFront distributions in order to track all viewer requests for the web content delivered through the Content Delivery Network (CDN).`
AWS - Cloudfront 2024-10-18 08:10:08 +05:30			`impact: \|`
			`Disabling CloudFront logging reduces visibility into traffic patterns, hinders incident response and forensic analysis, compromises compliance efforts, and limits troubleshooting capabilities, increasing security risks.`
			`remediation: \|`
			`Enable encryption for all existing EBS volumes and ensure that all new volumes created are configured to use encryption by default. Additionally, update any snapshots to be encrypted and use AWS Key Management Service (KMS) to manage encryption keys securely.`
			`reference:`
			`- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-logging-enabled.html`
			`- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html`
			`tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
AWS - Cloudfront 2024-10-18 08:10:08 +05:30			`variables:`
			`region: "us-west-2"`

			`flow: \|`
			`code(1)`
			`for(let DistributionListItemsId of iterate(template.distributions)){`
			`set("distribution", DistributionListItemsId)`
			`code(2)`
			`}`

			`self-contained: true`

			`code:`
			`- engine:`
			`- sh`
			`- bash`

			`source: \|`
			`aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json`

			`extractors:`
			`- type: json`
			`name: distributions`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`

			`source: \|`
			`aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Logging.Enabled' --region $region --output text`

			`matchers:`
			`- type: word`
			`words:`
			`- "False"`

			`extractors:`
			`- type: dsl`
			`dsl:`
fix-trail-space 2024-10-18 08:17:46 +05:30			`- '"Cloudfront Logging " + distribution + " is Disabled"'`
chore: sign templates 🤖 2024-12-01 13:57:55 +00:00			`# digest: 4a0a0047304502200285c729ba0b638126b679fa50d620ddaa0c8ccf98e7fb0d5292f8f7f544746c022100e46eb51abb3cb736a33c0648ff14957f1285349c4e4f5bc69dc2ad222e1dc07b:922c64590222798bb761d5b6d8e72950`