turbot/aws_compliance
Loading controls...

Control: 5 CloudFront distributions should have logging enabled

Description

This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution.

CloudFront access logs provide detailed information about every user request that CloudFront receives. Each log contains information such as the date and time the request was received, the IP address of the viewer that made the request, the source of the request, and the port number of the request from the viewer.

Remediation

For information on how to configure access logging for a CloudFront distribution, seeConfiguring and using standard logs (access logs).

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudfront_5

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudfront_5 --share

SQL

This control uses a named query:

cloudfront_distribution_logging_enabled

Tags