Skip to main content

lacework-global-378

CloudFront distributions should have a default root object configured (Automated)

Description

This policy verifies if an Amazon CloudFront distribution has a default root object configured.

A user might request the distribution's root URL instead of an object in the distribution. You can specify a default root object to help avoid exposing the contents of your web distribution when this happens.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Networking & Content Delivery > CloudFront.
  4. Select the applicable distribution.
  5. Click Edit under the Settings header.
  6. For Default root object, enter the name of an object to use as the root object.
  7. Click Save changes.

From CLI:

First, get the existing distribution configuration:

aws cloudfront get-distribution-config --id <cloudfront_distribution_id>

Save the output to a json file and add in an element called DefaultRootObject, example using index.html below:

{
  "ETag": "E1QWERTYEXAMPLE",
  "DistributionConfig": {
      "DefaultRootObject": "index.html",
  }
}

Finally, run the update-distribution command to add in the default root object:

aws cloudfront update-distribution --id <domain_name> --distribution-config <json_file_name>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html#DefaultRootObjectHowToDefine

Last updated on