Skip to main content
Amazon CloudFront

Search

Amazon CloudFront Passive Integration

© 2024 Cequence Security. All Rights Reserved.

Amazon CloudFront Passive Integration

  • Updated on
  • ~ minute read
Download PDF

Amazon CloudFront is a content delivery network (CDN) service that accelerates the delivery of both static and dynamic web content. This integration uses a passive approach to collect data between the Viewer (Downstream) and the Origin (Upstream) without affecting performance.

This integration is passive and asynchronous, and does not introduce latency or affect CloudFront performance. The processing is handled by the following AWS-native services, resulting in a scalable and serverless integration.

  • Amazon S3 to store the native CloudFront Standard Access Logs.
  • AWS Lambda to process log file and format data for the Cequence Unified API Protection (UAP) platform.
  • Amazon CloudWatch to store the Lambda execution logs. The log retention window is one day.

 

This diagram shows traffic flow through your environment.

  1. CloudFront receives the request from the Viewer.
  2. CloudFront sends the request to the Origin (if the response is not in cache).
  3. CloudFront receives the response from the Origin (if the response is not in cache).
  4. CloudFront sends the response to the Viewer.
  5. Requests are logged to Amazon S3 in batches (several times an hour).
  6. A Lambda function is triggered when a new batch file is saved. If multiple files are saved concurrently, multiple Lambda functions run in parallel to process them.
  7. The Lambda function batches all transactions from the file and sends them to the Cequence Bridge.

The Cequence Bridge forwards the transactions to UAP for further analysis.

Before you start

Make sure that your Amazon environment meets the following requirements before you start to deploy this integration.

  • AWS CLI installed and configured
  • The jq command-line JSON processor installed
  • Terraform installed
  • Cequence Bridge Deployed

What you'll need

Attach the cequence-tf-iam-cf-passive-policy.json file to the IAM role or user account that you're using for this procedure. See Amazon's documentation for details on IAM policy management.

Configure the AWS credentials to use us-east-1 as the default region.

  • A deployed and active CloudFront distribution
  • Access to the Cequence UAP platform.
  • Access to an API traffic tool such as curl, Postman, or a web browser to send test requests

Sample IAM policy

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ScanRegions",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        },
        {
            "Sid": "IAMRoleManagement",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/cequence_cf_passive_lambda_role-*"
        },
        {
            "Sid": "IAMRolesManagement",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:GetRolePolicy",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole"
            ],
            "Resource": "arn:aws:iam::*:role/*"
        },
        {
            "Sid": "LambdaFunctionManagement",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:UpdateFunctionConfiguration",
                "lambda:UpdateFunctionCode",
                "lambda:ListVersionsByFunction",
                "lambda:GetFunctionCodeSigningConfig",
                "lambda:AddPermission",
                "lambda:RemovePermission",
                "lambda:GetPolicy",
                "lambda:InvokeFunction"
            ],
            "Resource": "arn:aws:lambda:*:*:function:cequence-cf-passive-lambda-*"
        },
        {
            "Sid": "s3BucketManagement",
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "arn:aws:s3:::cequence-cf-passive-*"
        },
        {
            "Sid": "BucketNotifications",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy",
                "s3:DeleteBucketPolicy",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification",
                "logs:PutDeliveryDestination",
                "logs:DeleteDeliveryDestination"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "CloudFrontFullAccess",
            "Action": [
                "cloudfront:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchLogs",
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:PutRetentionPolicy",
                "logs:ListTagsForResource",
                "logs:CreateLogDelivery",
                "logs:UpdateLogDelivery",
                "logs:DeleteLogDelivery",
                "logs:GetLogDelivery"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/cequence-cf-passive-lambda-*"
        },
        {
            "Sid": "CloudWatchLogsMultiple",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeResourcePolicies",
                "logs:ListLogDeliveries"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:*"
        },
        {
            "Sid": "CloudWatchLogsDescribe",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:*"
        },
        {
            "Sid": "ReadWriteAccessForLogDeliveryActions",
            "Effect": "Allow",
            "Action": [
                "logs:GetDelivery",
                "logs:GetDeliverySource",
                "logs:PutDeliveryDestination",
                "logs:GetDeliveryDestinationPolicy",
                "logs:DeleteDeliverySource",
                "logs:PutDeliveryDestinationPolicy",
                "logs:CreateDelivery",
                "logs:GetDeliveryDestination",
                "logs:PutDeliverySource",
                "logs:DeleteDeliveryDestination",
                "logs:DeleteDeliveryDestinationPolicy",
                "logs:DeleteDelivery",
                "logs:UpdateDeliveryConfiguration"
            ],
            "Resource": [
                "arn:aws:logs:*:*:delivery:*",
                "arn:aws:logs:*:*:delivery-source:S3-delivery",
                "arn:aws:logs:*:*:delivery-source:CequenceCloudFront-*",
                "arn:aws:logs:*:*:delivery-source:CreatedByCloudFront-*",
                "arn:aws:logs:*:*:delivery-destination:S3-destination",
                "arn:aws:logs:*:*:delivery-destination:CequenceCloudFront-*"
            ]
        },
        {
            "Sid": "ListAccessForLogDeliveryActions",
            "Effect": "Allow",
            "Action": [
                "logs:DescribeDeliveryDestinations",
                "logs:DescribeDeliverySources",
                "logs:DescribeDeliveries",
                "logs:DescribeConfigurationTemplates"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowUpdatesToResourcePolicyCWL",
            "Effect": "Allow",
            "Action": [
                "logs:PutResourcePolicy",
                "logs:DescribeResourcePolicies",
                "logs:DescribeLogGroups",
                "logs:UpdateDeliveryConfiguration",
                "logs:CreateDelivery",
                "logs:DeleteDelivery",
                "logs:PutDeliveryDestination",
                "logs:DeleteDeliveryDestination"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        },
        {
            "Sid": "CloudFrontLogDeliverySourcesManagement",
            "Effect": "Allow",
            "Action": [
                "logs:PutDeliverySource",
                "logs:DeleteDeliverySource"
            ],
            "Resource": [
                "arn:aws:cloudfront:*:*:*"
            ]
        }
    ]
}

Items to download

Download the compressed archive file of the integration.

Installing the Amazon CloudFront passive integration

Integrating the Cequence UAP platform with Amazon CloudFront takes place over the following distinct phases.

Installing the plugin

  1. From the AWS CLI, extract the compressed archive file.
  2. Make a copy of the .env.example file named .env.
  3. In a text editor, edit the .env file to add values for the following variables. Replace values in brackets (<>) with the actual values of those items.
    tf_auto_approve=false
cequence_client_id=<value of the client ID>
cequence_client_secret=<value of the client secret>
cequence_auth_endpoint=<auth URL of your Cequence instance>
cequence_edge_endpoint=<edge URL of your Cequence instance>
cequence_log_level=info
  4. Optionally, set the Cequence log level to debug for troubleshooting.
  5. Navigate to the scripts directory and run the following command to make all scripts executable.
    chmod +x *.sh
  6. Run the setup-tfvars.sh script to generate the Terraform variables.
  7. Run the terraform apply command to provision the required resources.
  8. Run the following script to enable the integration.
    ./enable_aws_cf_integration.sh

Verify the Installation

  1. In the AWS Console, locate your CloudFront distribution.
    If you've installed the plugin recently, the distribution will appear as Deploying.
  2. Select your CloudFront distribution and click the Behaviors tab.
  3. Select the default Behavior radio button, then click Edit.
    The CloudFront behavior configuration dialogue box appears.
  4. Note the name of the Lambda function and the ARN for later use.
  5. Click Cancel.
  6. Click the Tags tab.
  7. Confirm that the value of cequence-enabled is true.

Next

  1. In the AWS Console, navigate to the CloudFront Distributions page and click the Global tab.
  2. Click the circle-arrow Refresh icon.
  3. Confirm that the status of your distribution is the current timestamp.
  4. Send sample traffic to the CloudFront endpoint. You can use curl, Postman, or directly from the browser.
  5. Log in to the Cequence UAP platform.
  6. Navigate to Discovery > Live Activity and click the 15m button.
  7. Navigate to Threat Protection > Detection and click the 15m button.
  8. Navigate to Discovery > Endpoints.
  9. Click an endpoint from the sample traffic, then select the Request tab.

With a properly functioning integration, the sample traffic will appear in the Request or Response tab, as appropriate.

Disabling the integration

  1. From a terminal window, navigate to the scripts directory.

  2. Run the following script to disable the integration.

    ./disable_aws_cf_integration.sh

    To clean up all resources related to the integration, pass the --destroy flag to the script.

    ./disable_aws_cf_integration.sh --destroy

In case of problems

NODE_TLS_REJECT_UNAUTHORIZED warning

ERROR (node:2) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment
 variable to '0' makes TLS connections and HTTPS requests insecure by disabling
 certificate verification.

You can ignore this error. The warning message occurs when Cequence Bridge uses a self-signed certificate.

No transactions in Cequence UAP

Confirm that the Lambda code is triggering. Examine the Lambda function's CloudWatch logs. When transactions are successfully sending to the Cequence UAP platform, lines similar to INFO ✅ Successfully sent 4 transactions for CF Distribution E27FO14I29XXXX are present in the logs. You can also check the Cequence S3 bucket for objects being delivered for your distribution.

Enabling debug logs

To enable debug logs, set the value of the cequence_log_level environment variable to debug. Restart the integration by running the enabling script again.

Skipped transactions appear in the log similar to the following example.

DEBUG ⏩ 🚫 Skipping request with static extension for /static/small.jpg

Lambda invalid log object error

Because AWS creates the base folder structure before creating the log object, a dummy notification can sometimes be sent to Lambda for the folder creation event. When this happens, the Lambda function logs an error and exits. You can ignore this error.

Improper field stitching in transactions

Check the fields enabled for the standard logging in the CloudFront distribution. Navigate to the distribution, then to Logging. Tick the radio button of the required logging configuration. Navigate to Manage > Edit, then click Show more under Field selection.

If fields are missing, send a message to your Cequence support team.

Cookie not passing properly

Navigate to the distribution, then to Logging > Manage > Settings. Toggle Cookie logging to on, if it isn't already, then click Save Changes.

If the cookie is showing in the logs, you can ignore the toggle appearing to be in the off position. If the cookie does not appear in the logs at all, send a message to your Cequence support team.

Missing logs

When a specific distribution has no transactions or objects in the logs, check whether that distribution had a preexisting configuration sending standard logging to an existing S3 bucket.

Check the script console logs for more details.

Was this article helpful?
Japanese (Japan)