Alarm is not set for denied connections in CloudFront logs Affecting CloudFront service in AWS
Severity Framework
Snyk CCSS
Rule category
Monitoring / Network
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk ID SNYK-CC-00188
- credit Snyk Research Team
Description
Alarms should be configured to alert users to denied connections to CloudFront distributions so users can investigate anomalous traffic.
How to fix?
Create an aws_cloudwatch_log_metric_filter
and aws_cloudwatch_metric_alarm
with an appropriate pattern attribute set for an aws_cloudwatch_log_group
and aws_cloudtrail
set of resources.
Use the following pattern attribute set:
$.eventSource=cloudfront.amazonaws.com
$.errorCode=*UnauthorizedOperation
$.errorCode=AccessDenied*