Skip to content
Nuclei Templates

Cloudfront Logging Disabled

ID: cloudfront-logging-disabled

Severity: medium

Author: DhiyaneshDK

Tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config

Description

Section titled “Description”

Ensure that access (standard) logging is enabled for your Amazon CloudFront distributions in order to track all viewer requests for the web content delivered through the Content Delivery Network (CDN).

YAML Source

Section titled “YAML Source”
id: cloudfront-logging-disabled


info:
  name: Cloudfront Logging Disabled
  author: DhiyaneshDK
  severity: medium
  description: |
    Ensure that access (standard) logging is enabled for your Amazon CloudFront distributions in order to track all viewer requests for the web content delivered through the Content Delivery Network (CDN).
  impact: |
    Disabling CloudFront logging reduces visibility into traffic patterns, hinders incident response and forensic analysis, compromises compliance efforts, and limits troubleshooting capabilities, increasing security risks.
  remediation: |
    Enable encryption for all existing EBS volumes and ensure that all new volumes created are configured to use encryption by default. Additionally, update any snapshots to be encrypted and use AWS Key Management Service (KMS) to manage encryption keys securely.
  reference:
    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-logging-enabled.html
    - http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
  tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config


variables:
  region: "us-west-2"


flow: |
  code(1)
  for(let DistributionListItemsId of iterate(template.distributions)){
    set("distribution", DistributionListItemsId)
    code(2)
  }


self-contained: true


code:
  - engine:
      - sh
      - bash


    source: |
      aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json


    extractors:
      - type: json
        name: distributions
        internal: true
        json:
          - '.[]'


  - engine:
      - sh
      - bash


    source: |
        aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Logging.Enabled' --region $region --output text


    matchers:
      - type: word
        words:
          - "False"


    extractors:
      - type: dsl
        dsl:
          - '"Cloudfront Logging " + distribution + " is Disabled"'
# digest: 4a0a0047304502200285c729ba0b638126b679fa50d620ddaa0c8ccf98e7fb0d5292f8f7f544746c022100e46eb51abb3cb736a33c0648ff14957f1285349c4e4f5bc69dc2ad222e1dc07b:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "cloud/aws/cloudfront/cloudfront-logging-disabled.yaml"

View on Github