search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.5k stars 3.84k forks source link

CloudFront distribution starts logging even when it's disabled #5371

Closed markusl closed 4 years ago

markusl commented 4 years ago

It seems to me that CloudFront access logging is turned on even when it is not specified in the code.

The radio button "Logging On" is selected in the "Distribution Settings" page.

CloudFront documentation seems to be unclear about this https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-logging

The problematic part is that extra costs are accrued with this behavior.

Reproduction Steps


    const props: cloudfront.CloudFrontWebDistributionProps =  {
        viewerCertificate,
        originConfigs: [{
            s3OriginSource: {
                s3BucketSource: bucket,
                originAccessIdentityId: originAccessIdentity.ref,
            },
            behaviors: [{
                isDefaultBehavior: true,
            }]
        }],
        webACLId: webAcl.ref,
    };
    const distribution = new cloudfront.CloudFrontWebDistribution(scope, `Distribution`, props);

Environment

This is :bug: Bug Report

jogold commented 4 years ago

Are you sure this is the case? Logging cannot be enabled without specifying a bucket as log destination.

markusl commented 4 years ago

@jogold there seems to be a log bucket specified after the "Logging" radio button:

cf-local-xxxxxxx.s3.amazonaws.com where 'xxxxxxx' seems to be randomly assigned. The bucket is filled with log files with format E3FYYFOXXXXXXX.2019-12-02-16.50287b85.gz.

The DistributionConfig of the generated AWS::CloudFront::Distribution structure does not seem to contain any specification for logging but still, it gets created. Does this answer your question?

Br, Markus

jogold commented 4 years ago

@markusl this is the behavior when you pass an empty object ({}) to loggingConfig (a bucket is automatically created for you). If the loggingConfig prop is omitted logging should not be enabled...

Can you try with the latest version?

markusl commented 4 years ago

@jogold the problem persists at least with 0.19.0. I don't see any changes to CloudFront in the changelog for 1.20.0.

jogold commented 4 years ago

the problem persists at least with 0.19.0

you mean 1.19.0?

markusl commented 4 years ago

Yes, 1.19.0 :)

jogold commented 4 years ago

I cannot reproduce this. Care to share your code + generated CF template?

markusl commented 4 years ago

Thanks for taking the time to look into this. I found out the reason and this happens because of commonly deployed scripts to all of our accounts - something that I wasn't aware but it totally makes sense now. Our security organization watches configuration changes and quietly enables the logs for all CloudFront distributions even though this is not a production account.

Apologies for the false report.