Rule: CloudFront distributions should have a default root object configured
This rule ensures that CloudFront distributions have a default root object configured for better accessibility.
| Rule | CloudFront distributions should have a default root object configured |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Critical |
CloudFront Default Root Object Configuration
Rule Description
CloudFront distributions should have a default root object configured to enhance security and user experience. The default root object allows CloudFront to serve a specific file when a user accesses the root URL of your distribution.
Rule Explanation
Setting a default root object ensures that users accessing the root domain or URL of your CloudFront distribution are served with a specific file, like an index.html or index.php file. This ensures a consistent user experience and minimizes the risk of exposing sensitive information or directory listings.
Rule Remediation
To configure a default root object in your CloudFront distribution, follow these steps:
- 1.Open the AWS Management Console and navigate to the Amazon CloudFront service.
- 2.Select the desired CloudFront distribution for which you want to configure the default root object.
- 3.Click on the "Origins and Origin Groups" tab.
- 4.Click on the "Default behavior" or the specific behavior you want to configure the default root object for.
- 5.Scroll down to the "Default Root Object" section.
- 6.Click on the "Edit" button.
- 7.Enter the filename of the desired default root object to be served when users access the root URL.
- 8.Click on the "Save" button to save your changes.
Troubleshooting Steps
If you face any issues while configuring the default root object for your CloudFront distribution, consider the following troubleshooting steps:
- 1.Verify that you have the necessary permissions to modify the CloudFront distribution configuration.
- 2.Double-check that the filename you provided for the default root object exists in the origin bucket or location.
- 3.Ensure that the default root object filename is correctly spelled and matches the case sensitivity.
- 4.Confirm that the distribution is in the "Enabled" state and propagates changes to all edge locations.
Additional Considerations
- Keep in mind that serving static HTML files as the default root object can help improve SEO by making your website more crawlable and discoverable by search engines.
- Ensure proper access controls and permissions are in place for the default root object file to prevent unauthorized access.
- Regularly test and monitor your CloudFront distribution to ensure the default root object is serving as expected.
Example Code
If you prefer to configure the default root object using AWS Command Line Interface (CLI), you can use the following command:
aws cloudfront update-distribution --id DISTRIBUTION_ID --default-root-object FILENAME
Replace
DISTRIBUTION_IDFILENAMEPlease note that AWS CLI should be configured with appropriate permissions and credentials before executing the command.
Conclusion
Configuring a default root object for your CloudFront distribution is a recommended security best practice that provides a smoother user experience and ensures consistency when accessing the root URL. By following the provided remediation steps, you will be able to configure the default root object and enhance the security of your AWS infrastructure.