Alarm is not set for denied connections in CloudFront logs Affecting CloudFront service in AWS


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Monitoring / Network

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
  • Snyk ID SNYK-CC-00188
  • credit Snyk Research Team

Description

Alarms should be configured to alert users to denied connections to CloudFront distributions so users can investigate anomalous traffic.

How to fix?

Create an aws_cloudwatch_log_metric_filter and aws_cloudwatch_metric_alarm with an appropriate pattern attribute set for an aws_cloudwatch_log_group and aws_cloudtrail set of resources.

Use the following pattern attribute set:

$.eventSource=cloudfront.amazonaws.com
$.errorCode=*UnauthorizedOperation
$.errorCode=AccessDenied*