Skip to main content

πŸ“ AWS CloudFront Web Distribution Default Root Object is not configured 🟒

  • Contextual name: πŸ“ Web Distribution Default Root Object is not configured 🟒
  • ID: /ce/ca/aws/cloudfront/distribution-default-root-object
  • Located in: πŸ“ AWS CloudFront

Flags​

Our Metadata​

  • Policy Type: BEST_PRACTICE
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4f944d131

Logic​

Description​

Open File

Description​

Ensure that AWS CloudFront Web Distributions are configured with a Default Root Object.

A Default Root Object (for example index.html) is the object that CloudFront returns when a client requests the distribution’s root URL (e.g., https://example.com/) rather than specifying a particular object in the distribution (e.g., https://www.example.com/product-description.html).

A Default Root Object is most appropriate when your distribution serves a website or static content entry point and you expect clients to access / directly. Common scenarios include:

  • Static websites or landing pages, ensuring that GET / returns an index.html or equivalent landing page.
  • Documentation hubs or single‑page apps.

Conversely, you typically omit a Default Root Object when:

  • Your distribution fronts APIs or microservices and clients always request specific paths.
  • Your origin itself (e.g., a dynamic web server behind an ALB) handles root requests.
  • You rely on routing logic via Lambda@Edge, CloudFront Functions, or S3 website‑endpoint error‑page configurations.

... see more

Remediation​

Open File

Remediation​

From Command Line​

You can update the Default Root Object by using the --default-root-object flag:

aws cloudfront update-distribution \
    --id {{distribution-id}} \
    --default-root-object {{index.html}}

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.1] CloudFront distributions should have a default root object configured11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Public and Anonymous Access72
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3763
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1140
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)63
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)63
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)40
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties86
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected102
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage63
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-3 Access Enforcement15532
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3540
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(16) Boundary Protection _ Prevent Discovery of System Components18
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.3
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.3
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.3
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.5 Ensure users are authenticated before allowing them access to organizational data or services44