Profile Applicability: 

Level 2

Description

A default root object in Amazon CloudFront is the object (typically an HTML file) that CloudFront returns when a user requests the root URL of your distribution, such as https://www.example.com/ without specifying a specific file name (like index.html). Setting a default root object ensures that users are directed to a specific page, enhancing user experience and avoiding 404 errors.

Rationale

  • Improved User Experience: Provides a seamless user experience by directing users to a specific page.

  • Error Prevention: Avoids 404 errors when the root URL is accessed without specifying a file name.

  • Consistent Branding: Ensures that users are always directed to a consistent starting point, such as a homepage.

Impact

Pros:

  • Enhances user experience by directing users to a specific page.

  • Prevents 404 errors when the root URL is accessed.

  • Ensures consistent branding and user navigation.

Cons:

  • Requires additional configuration to set up the default root object.

  • Potential temporary disruption during the setup process.

Default Value

By default, CloudFront distributions do not have a default root object configured. This must be explicitly set up.

Pre-Requisite

IAM Permissions:

  • cloudfront:GetDistribution

  • cloudfront:UpdateDistribution

  • AWS CLI installed and configured.

Remediation

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to audit.

  5. Click on the General tab in the top menu.

  6. Check if a default root object is configured.

Using AWS CLI:

Check Default Root Object Status:

aws cloudfront get-distribution --id <distribution-id> --query 'Distribution.DistributionConfig.DefaultRootObject'

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to modify.

  5. Click on the General tab in the top menu.

  6. Click Edit to modify the distribution settings.

  7. Set the Default Root Object (e.g., index.html).

  8. Click Save changes to save the changes.

Using AWS CLI:

Set the Default Root Object:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-root-object.json

Backout Plan

Using AWS Console:

  1. Navigate to the CloudFront Dashboard.

  2. Select the Distribution.

  3. Click Edit Attributes.

  4. Revert to the previous configuration by removing the default root object.

  5. Click Save changes to save the changes.

Using AWS CLI:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-original.json


References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.