lacework-global-378
CloudFront distributions should have a default root object configured (Automated)
Description
This policy verifies if an Amazon CloudFront distribution has a default root object configured.
A user might request the distribution's root URL instead of an object in the distribution. You can specify a default root object to help avoid exposing the contents of your web distribution when this happens.
Remediation
From the AWS Console:
- Log in to the AWS Management Console.
- Click Services.
- Select Networking & Content Delivery > CloudFront.
- Select the applicable distribution.
- Click Edit under the Settings header.
- For Default root object, enter the name of an object to use as the root object.
- Click Save changes.
From CLI:
First, get the existing distribution configuration:
aws cloudfront get-distribution-config --id <cloudfront_distribution_id>
Save the output to a json file and add in an element called DefaultRootObject, example using index.html below:
{
"ETag": "E1QWERTYEXAMPLE",
"DistributionConfig": {
"DefaultRootObject": "index.html",
}
}
Finally, run the update-distribution command to add in the default root object:
aws cloudfront update-distribution --id <domain_name> --distribution-config <json_file_name>
References
https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html#DefaultRootObjectHowToDefine