CloudFront logging check does not detect Standard Logging (v2) via CloudWatch Log Delivery

[sahil-sols]

Issue search

• I have searched the existing issues and this bug has not been reported yet

Which component is affected?

Prowler CLI/SDK

Cloud Provider (if applicable)

AWS

Steps to Reproduce

The current implementation validates logging using:

• distribution.logging_enabled (Standard logging – legacy S3)
• default_cache_config.realtime_log_config_arn (Real-time logging)

However, Standard Logging (v2) is not reflected in DistributionConfig.Logging and therefore is not evaluated by the check.

This causes distributions with Standard Logging (v2) enabled to be flagged as:

FAIL - CloudFront Distribution <id> has logging disabled.

even though logging is correctly configured.

---

Important Context

Standard Logging (v2):

• Can be enabled directly via the AWS Console UI

• Is implemented using CloudWatch Logs Log Delivery APIs

• Does not populate the legacy Logging block returned by:

  aws cloudfront get-distribution-config

• Is the current recommended logging model by AWS

• Removes the dependency on S3 ACLs required by legacy logging

Since this configuration is available and commonly used through the AWS UI, environments using the modern logging mechanism will be incorrectly marked as non-compliant by Prowler.

---

Technical Details

Current Check Logic

if distribution.logging_enabled or (
    distribution.default_cache_config
    and distribution.default_cache_config.realtime_log_config_arn
):
```markdown
### Current Evaluation Scope

This check only evaluates:

- **Legacy Standard Logging (S3)**
- **Real-time logging**

It does **not** evaluate **Standard Logging (v2)**.

---

### How Standard Logging (v2) Works

Standard Logging (v2) must be validated via:

- `logs:DescribeDeliverySources`
- `logs:DescribeDeliveries`

The CloudFront distribution ARN format is: arn:aws:cloudfront::<account-id>:distribution/<distribution-id>


The logging configuration exists in **CloudWatch Logs delivery configuration**, not in the CloudFront distribution configuration object.

Expected behavior

The check should return PASS if ANY of the following are configured:

Standard Logging (legacy S3)

Real-time logging

Standard Logging (v2) via CloudWatch Log Delivery (CloudWatch Logs / Firehose)

Suggested Enhancement

Extend the CloudFront service client to:

Retrieve log delivery sources using:

describe_delivery_sources

Match resourceArns to the distribution ARN

Confirm an active delivery exists via:

describe_deliveries

Actual Result with Screenshots or Logs

How did you install Prowler?

Cloning the repository from github.com (git clone)

Environment Resource

1. Cloudfront

OS used

MAcos

Prowler version

Prowler 5.18.1

Python version

Python 3.9.6

Pip version

pip 25.3

Context

No response

[danibarranqueroo]

Hi @sahil-sols! 👋

Thank you so much for this incredibly detailed issue report! The technical context around Standard Logging (v2) vs legacy logging, and the suggested implementation approach is extremely helpful.

Since you clearly have a strong understanding of the CloudFront logging mechanisms and have already mapped out the solution, would you be interested in contributing a fix? We'd love to have your contribution, and it looks like you've already done most of the research!

Of course, if you don't have the time or prefer not to, no problem at all, we'll handle it when we get a chance. Thanks again and let us know what you think!