Check provider logo

CloudFront distribution has logging enabled

cloudfront_distributions_logging_enabled

Severitymedium
Servicecloudfront
by Prowler
logging

CloudFront distributions record viewer requests using standard access logs (S3), real-time log configurations, or Standard Logging v2 via CloudWatch Logs delivery sources.

The finding evaluates whether at least one logging mechanism is active so request metadata is captured for each distribution.

Risk

Missing CloudFront logs blinds monitoring of edge requests, impeding detection of bot abuse, credential stuffing, and cache-bypass attempts.

This delays incident response and weakens forensic evidence. A delivery source without an active delivery does not count as enabled.

Run this check with Prowler CLI

prowler aws --checks cloudfront_distributions_logging_enabled

Run in Prowler Cloud

Recommendation

Enable standard access logs or real-time logs for all distributions.

Apply least privilege to log storage, enforce retention and immutability, and centralize ingestion with alerts.

Use defense-in-depth: correlate with WAF metrics, sample real-time when needed, and audit new distributions for logging.

Remediation

CLI

aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add Logging.Bucket: <example_bucket>.s3.amazonaws.com', then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query "ETag" --output text)'

Native IaC
Terraform
Other
  1. In the AWS Console, go to CloudFront and select your distribution
  2. Open the General tab and click Edit
  3. In Standard logging, set to On
  4. Select the S3 bucket to receive logs
  5. Ensure the S3 bucket has Object Ownership set to ACLs enabled (Bucket owner preferred/ObjectWriter)
  6. Save changes

Source Code

Resource Type

AwsCloudFrontDistribution

References