/
CloudFront Delivery Network SQS Collector
Document toolboxDocument toolbox

CloudFront Delivery Network SQS Collector

Owned by Laszlo Frazer, created
Last updated: Jan 27, 2025
2 min read
[ 1 Purpose ] [ 2 Example tables ] [ 3 Authorize It ] [ 4 Run It ] [ 5 Secure It ] [ 6 Monitor It ]

Purpose

An analyst wants to detect malicious behavior in requests to the content delivery network.  Using the CloudFront SQS collector to send request logs to Devo, the analyst will find DDoS attempts.  As a result, the analyst will scale web services, preventing them from failing.

Example tables

Table

Description

Table

Description

cloud.aws.cloudfront.web_1

CloudFront content delivery network activity

web.all.access

All web activity logs

Authorize It

  1. Authorize SQS Data Access.

  2. Add data to the S3 bucket.

    1. Update or create a CloudFront Distribution.

    2. Turn log delivery on.

    3. Enable cookie logging so that cookie poisoning attacks can be investigated.

    4. Select Amazon S3 as the delivery method.

    5. Enter the destination bucket created in Step 1.

    6. Devo requires that the default 33 fields be selected.

    7. Devo does not require partitioning.

    8. Select “Plain text” format.

    9. Select “\t” field delimiters.

       

      image-20250127-163627.png

       

       

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{ "inputs": { "sqs_collector": { "id": "<FIVE_UNIQUE_DIGITS>", "services": { "aws_sqs_control_tower": {} }, "credentials": { "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>", "aws_external_id": "<EXTERNAL_ID>" }, "region": "<REGION>", "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>" } } }

Secure It

CloudFront logs work with these Exchange Activeboards:

Devo provides compatible alert packs:

Access from unexpected location

/* Get a list of edge locations where CloudFront was accessed to search for access from geographies that should not be using the application. */ from cloud.aws.cloudfront.web_1 group by x_edge_location

Malicious redirect created

/* Get a list of redirects to check if a malicious person is directing users to phishing. */ from cloud.aws.cloudfront.web_1 where eq(x_edge_result_type,"Redirect"), toktains(cs_uri_stem,"login")//redirect to phishing login page group by cs_Host, cs_uri_stem

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

Set the inactivity alert to keep track of the collector_id.