🛡️ AWS CloudFront Distribution Logging is not enabled🟢

• Contextual name: 🛡️ Distribution Logging is not enabled🟢
• ID: /ce/ca/aws/cloudfront/distribution-logging
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS CloudFront Distribution
  • 🔌 AWS CloudFront Distribution - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [CloudFront.5] CloudFront distributions should have logging enabled
• Internal: dec-x-a5c2acfe

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-a5c2acfe	1

Description

Open File

Description

This policy checks if standard logging is enabled for AWS CloudFront Distributions.

Standard logging supports:

• Delivery of access logs to Amazon CloudWatch Logs, Amazon Kinesis Data Firehose, and Amazon S3.
• Selection of specific log fields, including a subset of real‑time log fields.
• Configuration of additional output log file formats.

Rationale

Standard logs provide details for each distribution request (e.g., the viewer’s IP address, requested path and object, HTTP status code and method, timestamp, and user agent) enabling monitoring, troubleshooting, and security auditing.

Impact

Enabling standard logging may increase charges for log storage and data transfer.

Audit

This policy flags an AWS CloudFront Web Distribution as INCOMPLIANT if the Logging Enabled checkbox is false.

Remediation

Open File

Remediation

Permissions

CloudFront delivers access logs via the CloudWatch vended logs. To enable and configure log delivery, you must have IAM permissions for the target logging service and for CloudWatch Logs delivery actions.

From Command Line

Enable Standard Logging Using CloudWatch API

1. Create a delivery source for the CloudFront Distribution logs:

aws logs put-delivery-source \
    --name {{delivery-name}} \
    --resource-arn {{distribution-arn}} \
    --log-type ACCESS_LOGS

2. Configure the delivery destination where the logs should be sent (CloudWatch Logs, Kinesis Data Firehose, or S3):

aws logs put-delivery-destination \
    --name {{destination-name}} \
    --delivery-destination-configuration {{delivery-destination-arn}}

3. Link source and destination to bind your CloudFront distribution to the target destination:

aws logs create-delivery \
    --delivery-source-name {{delivery-name}} \
    --delivery-destination-arn {{delivery-destination-arn}}

Using CloudFormation

• CloudFormation template (YAML):

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;		9	11		no data
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;		9	11		no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		19	22		no data
💼 APRA CPG 234 → 💼 h. audit logging and monitoring of access to information assets by all users;		8	9		no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [CloudFront.5] CloudFront distributions should have logging enabled		1	1		no data
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			65		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			16		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	26		no data
💼 FedRAMP High Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			17		no data
💼 FedRAMP High Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		28		no data
💼 FedRAMP High Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			8		no data
💼 FedRAMP High Security Controls → 💼 AU-6(4) Central Review and Analysis (H)			8		no data
💼 FedRAMP High Security Controls → 💼 AU-10 Non-repudiation (H)			7		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		65		no data
💼 FedRAMP High Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		13		no data
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4		32		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	51		no data
💼 FedRAMP Low Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			17		no data
💼 FedRAMP Low Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)			14		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Low Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	1		13		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			16		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			26		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-2 Event Logging (L)(M)(H)			17		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-3 Content of Audit Records (L)(M)(H)	1		28		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6(3) Correlate Audit Record Repositories (M)(H)			8		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Moderate Security Controls → 💼 CA-7 Continuous Monitoring (L)(M)(H)	2		13		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	2		19		no data
💼 NIST CSF v1.1 → 💼 ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations		15	19		no data
💼 NIST CSF v1.1 → 💼 PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy		16	33		no data
💼 NIST CSF v2.0 → 💼 DE.AE-02: Potentially adverse events are analyzed to better understand associated activities			35		no data
💼 NIST CSF v2.0 → 💼 DE.AE-03: Information is correlated from multiple sources			50		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			150		no data
💼 NIST CSF v2.0 → 💼 DE.CM-02: The physical environment is monitored to find potentially adverse events			13		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-06: External service provider activities and services are monitored to find potentially adverse events			35		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			149		no data
💼 NIST CSF v2.0 → 💼 GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship			26		no data
💼 NIST CSF v2.0 → 💼 ID.IM-01: Improvements are identified from evaluations			26		no data
💼 NIST CSF v2.0 → 💼 ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties			40		no data
💼 NIST CSF v2.0 → 💼 ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities			41		no data
💼 NIST CSF v2.0 → 💼 ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded			31		no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked			31		no data
💼 NIST CSF v2.0 → 💼 ID.RA-10: Critical suppliers are assessed prior to acquisition			26		no data
💼 NIST SP 800-53 Revision 4 → 💼 AU-2 AUDIT EVENTS	4	3	4		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(26) Information Flow Enforcement _ Audit Filtering Actions			9		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6(9) Least Privilege _ Log Use of Privileged Functions		17	19		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-2 Event Logging	4		17		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-3 Content of Audit Records	3	13	28		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(3) Audit Record Review, Analysis, and Reporting _ Correlate Audit Record Repositories			8		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-6(4) Audit Record Review, Analysis, and Reporting _ Central Review and Analysis			8		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-10 Non-repudiation	5		7		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	65		no data
💼 NIST SP 800-53 Revision 5 → 💼 CA-7 Continuous Monitoring	6		13		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-3 Configuration Change Control	8	17	32		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			18		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-3(8) Malicious Code Protection _ Detect Unauthorized Commands			6		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-4(20) System Monitoring _ Privileged Users			5		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(8) Software, Firmware, and Information Integrity _ Auditing Capability for Significant Events			8		no data
💼 PCI DSS v3.2.1 → 💼 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.			5		no data
💼 PCI DSS v4.0.1 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		5		no data
💼 PCI DSS v4.0 → 💼 10.4.2 Logs of all other system components are reviewed periodically.	1		5		no data