Skip to main content

CloudFront Distribution Logging Enabled

Overview

This check verifies that your Amazon CloudFront distributions have logging enabled. CloudFront can log details about every request it receives, including viewer IP addresses, request timestamps, and response status codes. These logs are essential for security monitoring and troubleshooting.

Risk

Without logging enabled on your CloudFront distributions, you lose visibility into traffic patterns at your edge locations. This makes it difficult to:

  • Detect bot abuse, credential stuffing, or DDoS attempts
  • Investigate security incidents after the fact
  • Identify unauthorized access or origin probing
  • Troubleshoot cache behavior or performance issues

Severity: Medium

Remediation Steps

Prerequisites

  • Access to the AWS Console with permissions to modify CloudFront distributions
  • An S3 bucket to store the logs (you can create one during setup)
S3 bucket requirements for CloudFront logging

Your logging bucket must:

  • Be in the same AWS account as the CloudFront distribution
  • Have ACLs enabled (not the default for new buckets)
  • Grant the awslogsdelivery account write permissions

To enable ACLs on an existing bucket:

  1. Go to S3 in the AWS Console
  2. Select your bucket and click the Permissions tab
  3. Under Object Ownership, click Edit
  4. Select ACLs enabled and choose Bucket owner preferred
  5. Acknowledge the warning and save

AWS Console Method

  1. Open the CloudFront console

  2. Select the distribution you want to configure

  3. Click the General tab, then click Edit in the Settings section

  4. Scroll down to Standard logging and set it to On

  5. For S3 bucket, select an existing bucket or enter a bucket name (e.g., my-cloudfront-logs-bucket.s3.amazonaws.com)

  6. (Optional) Enter a Log prefix to organize logs (e.g., cloudfront-logs/my-distribution/)

  7. Click Save changes

  8. Wait for the distribution status to change from "Deploying" to the last modified date (this typically takes a few minutes)

AWS CLI (optional)

Enabling logging via CLI requires updating the distribution configuration. This is a multi-step process.

Step 1: Get the current distribution configuration

aws cloudfront get-distribution-config \
    --id E1EXAMPLE12345 \
    --region us-east-1 \
    --output json > /tmp/dist-config.json

Step 2: Note the ETag value

The response includes an ETag field at the top level. Save this value - you will need it for the update command.

# Extract the ETag
ETAG=$(jq -r '.ETag' /tmp/dist-config.json)
echo "ETag: $ETAG"

Step 3: Modify the configuration to enable logging

Extract just the DistributionConfig portion and add the logging configuration:

jq '.DistributionConfig.Logging = {
    "Enabled": true,
    "IncludeCookies": false,
    "Bucket": "my-cloudfront-logs-bucket.s3.amazonaws.com",
    "Prefix": "cloudfront-logs/"
} | .DistributionConfig' /tmp/dist-config.json > /tmp/updated-config.json

Step 4: Update the distribution

aws cloudfront update-distribution \
    --id E1EXAMPLE12345 \
    --if-match "$ETAG" \
    --distribution-config file:///tmp/updated-config.json \
    --region us-east-1

Replace:

  • E1EXAMPLE12345 with your distribution ID
  • my-cloudfront-logs-bucket with your S3 bucket name
CloudFormation (optional)

Add the Logging property to your AWS::CloudFront::Distribution resource:

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFront distribution with logging enabled

Resources:
  LoggingBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub 'cloudfront-logs-${AWS::AccountId}'
      OwnershipControls:
        Rules:
          - ObjectOwnership: BucketOwnerPreferred
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        Origins:
          - Id: myOrigin
            DomainName: my-origin.example.com
            CustomOriginConfig:
              OriginProtocolPolicy: https-only
        DefaultCacheBehavior:
          TargetOriginId: myOrigin
          ViewerProtocolPolicy: redirect-to-https
          CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
        Logging:
          Bucket: !GetAtt LoggingBucket.DomainName
          Prefix: 'cloudfront-logs/'
          IncludeCookies: false

Key configuration:

  • Bucket: The S3 bucket domain name (format: bucket-name.s3.amazonaws.com)
  • Prefix: Optional folder path for organizing logs
  • IncludeCookies: Set to true if you need cookie data in logs
Terraform (optional)

Add a logging_config block to your aws_cloudfront_distribution resource:

resource "aws_s3_bucket" "cloudfront_logs" {
  bucket = "cloudfront-logs-${data.aws_caller_identity.current.account_id}"
}

resource "aws_s3_bucket_ownership_controls" "cloudfront_logs" {
  bucket = aws_s3_bucket.cloudfront_logs.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_cloudfront_distribution" "example" {
  enabled = true

  origin {
    domain_name = "my-origin.example.com"
    origin_id   = "myOrigin"

    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
  }

  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD"]
    cached_methods         = ["GET", "HEAD"]
    target_origin_id       = "myOrigin"
    viewer_protocol_policy = "redirect-to-https"

    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }
  }

  logging_config {
    bucket          = aws_s3_bucket.cloudfront_logs.bucket_domain_name
    prefix          = "cloudfront-logs/"
    include_cookies = false
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

data "aws_caller_identity" "current" {}

Key arguments:

  • bucket: The S3 bucket domain name for storing logs
  • prefix: Optional path prefix for log files
  • include_cookies: Whether to include cookie information in logs

Verification

After enabling logging:

  1. Return to the CloudFront console and select your distribution
  2. On the General tab, confirm that Standard logging shows as On
  3. Check your S3 bucket - logs typically begin appearing within 24 hours (CloudFront batches log delivery)
Verify with AWS CLI
aws cloudfront get-distribution \
    --id E1EXAMPLE12345 \
    --region us-east-1 \
    --query 'Distribution.DistributionConfig.Logging'

Expected output when logging is enabled:

{
    "Enabled": true,
    "IncludeCookies": false,
    "Bucket": "my-cloudfront-logs-bucket.s3.amazonaws.com",
    "Prefix": "cloudfront-logs/"
}

Additional Resources

Notes

  • Log delivery delay: Standard logs are delivered on a best-effort basis, typically within 24 hours. For real-time visibility, consider using CloudFront real-time logs with Kinesis Data Streams.

  • S3 bucket ACLs required: CloudFront requires ACLs to be enabled on the destination bucket. Buckets created after April 2023 have ACLs disabled by default, so you may need to enable them.

  • Log file format: Logs are delivered as gzip-compressed files in W3C extended log format. Each file contains log entries for a specific time period.

  • Cost considerations: While CloudFront does not charge for generating standard logs, you will incur S3 storage and request costs for the log files.