Detection: CloudFront Distribution Logging Disabled
Overview
Detect when a CloudFront distribution's logging was disabled. Disabling logging reduces visibility into access and usage, making it difficult to monitor traffic, detect anomalies, or respond to security incidents. Enabling logging ensures access monitoring, supports compliance requirements, and provides valuable insights for troubleshooting and optimization.
References:
Usage
Run the detection in your terminal:
powerpipe detection run aws_cloudtrail_log_detections.detection.cloudfront_distribution_logging_disabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run aws_cloudtrail_log_detections.detection.cloudfront_distribution_logging_disabled --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,string_split(event_source, '.')[1] || ':' || event_name as operation,request_parameters ->> 'name' as resource,user_identity.arn as actor,tp_source_ip as source_ip,tp_index as account_id,aws_region as region,tp_id as source_id,*
from aws_cloudtrail_logwhere event_source = 'cloudfront.amazonaws.com' and event_name = 'UpdateDistribution' and (request_parameters -> 'distributionConfig' -> 'logging' -> 'enabled') = falseorder by event_time desc;