AWSConfigRemediation-EnableCloudFrontAccessLogs
Description
The
AWSConfigRemediation-EnableCloudFrontAccessLogs
runbook enables
access logging for the Amazon CloudFront (CloudFront) distribution you specify.
Document type
Automation
Owner
Amazon
Platforms
Linux, macOS, Windows
Parameters
-
AutomationAssumeRole
Type: String
Allowed values: ^arn:(?:aws|aws-us-gov|aws-cn):iam::\d{12}:role\/[\w+=,.@/-]+$
Description: (Required) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf.
-
BucketName
Type: String
Description: (Required) The name of the Amazon Simple Storage Service (Amazon S3) bucket you want to store access logs in. Buckets in the af-south-1, ap-east-1, eu-south-1, and me-south-1 Amazon Web Services Region are not supported.
-
CloudFrontId
Type: String
Description: (Required) The ID of the CloudFront distribution you want to enable access logging on.
-
IncludeCookies
Type: Boolean
Valid values: true | false
Description: (Optional) Set this parameter to
true, if you want cookies to be included in the access logs. -
Prefix
Type: String
Description: (Optional) An optional string that you want CloudFront to prefix to the access log
filenamesfor your distribution, for example,myprefix/.
Required IAM permissions
The AutomationAssumeRole parameter requires the following actions to
successfully use the runbook.
-
ssm:StartAutomationExecution -
ssm:GetAutomationExecution -
cloudfront:GetDistribution -
cloudfront:GetDistributionConfig -
cloudfront:UpdateDistribution -
s3:GetBucketLocation -
s3:GetBucketAcl -
s3:PutBucketAcl
Document Steps
-
aws:executeScript- Enables access logging for the CloudFront distribution you specify in theCloudFrontDistributionIdparameter.