Configuring Cloudfront for Secure Logging

Ensure Secure Logging with Cloudfront and EC2

Question

A team has set up a Cloudfront distribution with a web application hosted on an EC2 Instance as the Origin point.

There is a security requirement to ensure that all requests via Cloudfront are recorded.

Which of the following implementation steps need to be carried out? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and C.

This is mentioned in the AWS Documentation.

When you enable logging for distribution, you specify the Amazon S3 bucket that you want CloudFront to store log files in.

If you're using Amazon S3 as your origin, we recommend that you do not use the same bucket for your log files.

Using a separate bucket simplifies maintenance.

You can store the log files for multiple distributions in the same bucket.

When you enable logging, you can specify an optional prefix for the file names.

So you can keep track of which log files are associated with which distributions.

Option B is incorrect because, for the CloudFront logging, it should be standard logs or access logs instead of VPC flow logs.

Option D is incorrect because CloudFront logging uses S3 to store the logs instead of the CloudWatch Log Groups.

For more information on Cloudfront Access logs, please visit the below URL.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html

To ensure that all requests via Cloudfront are recorded, two implementation steps need to be carried out:

  1. Enable the standard log/access log for the CloudFront distribution: Enabling the standard log/access log for the CloudFront distribution is the first step to record all requests coming through CloudFront. By default, CloudFront logs all requests to the standard access log file. This log file contains detailed information about each request, including the time of the request, the client's IP address, the request method, the requested object, the status code returned by the server, and the amount of data transferred.

  2. Create a destination S3 bucket for the logs: Once the logs are generated, they need to be stored somewhere. Creating a destination S3 bucket for the logs is the second step to ensure that all requests are recorded. S3 provides a highly durable and scalable object storage service that can be used to store CloudFront logs. When you enable logging for a CloudFront distribution, you can specify an S3 bucket to receive the log files.

Therefore, the correct answers to the question are:

A. Enable the standard log/access log for the CloudFront distribution. C. Create a destination S3 bucket for the logs.

B and D are incorrect as enabling VPC flow logs in the CloudFront distribution is not related to recording requests via CloudFront and creating a CloudWatch Log group is not necessary for recording CloudFront logs.