Validates all CloudFront distributions created with CloudFormation stacks to ensure that they have access logs enabled.
# Create a basic type configuration json
cat <<EOF > typeConfiguration.json
{
"CloudFormationConfiguration": {
"HookConfiguration": {
"TargetStacks": "ALL",
"FailureMode": "FAIL",
"Properties": {}
}
}
}
EOF
# enable the hook
aws cloudformation set-type-configuration \
--configuration file://typeConfiguration.json \
--type HOOK \
--type-name AwsCommunity::CloudFront::LoggingEnabledThe Hook will find this template to be non-compliant.
AWSTemplateFormatVersion: "2010-09-09"
Resources:
CloudFrontDistributionLoggingNonCompliant:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
Origins:
- DomainName: !GetAtt
- S3BucketOriginSupporting
- DomainName
Id: S3Origin
CustomOriginConfig:
OriginProtocolPolicy: https-only
DefaultCacheBehavior:
TargetOriginId: S3Origin
ViewerProtocolPolicy: https-only
ForwardedValues:
QueryString: falseThis template will be found as compliant and deploy successfully.
AWSTemplateFormatVersion: "2010-09-09"
Resources:
CloudFrontDistributionLoggingCompliant:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
Logging:
Bucket: !GetAtt
- S3BucketLoggingSupporting
- DomainName
Origins:
- DomainName: !GetAtt
- S3BucketOriginSupporting
- DomainName
Id: S3Origin
CustomOriginConfig:
OriginProtocolPolicy: https-only
DefaultCacheBehavior:
TargetOriginId: S3Origin
ViewerProtocolPolicy: https-only
ForwardedValues:
QueryString: false