Terraform Missing Logging Config
Description
Identifies AWS CloudFront distributions that have logging disabled or not configured. Missing logging configuration in CloudFront distributions can hinder security auditing, incident investigation, and compliance requirements since there would be no records of content delivery and user access patterns.
Detection Strategy
• Check if resource type is 'aws_cloudfront_distribution' in Terraform configuration
• Verify if the 'logging_config' argument is present in the distribution resource block
• Report a vulnerability if the CloudFront distribution lacks a logging_config configuration block
Vulnerable code example
resource "aws_cloudfront_distribution" "example" {
origin {
domain_name = "example-bucket.s3.amazonaws.com"
origin_id = "primaryS3" # Origin ID is set as 'primaryS3'
}
default_cache_behavior {
target_origin_id = "groupS3" # Vulnerability: Mismatched origin_id reference...✅ Secure code example
resource "aws_cloudfront_distribution" "example" {
origin {
domain_name = aws_s3_bucket.example.bucket_regional_domain_name # Use variable reference instead of hardcoded domain
origin_id = "primaryS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path # Secure S3 access
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.