CloudFront distribution has a default root object configured
cloudfront_distributions_default_root_object
CloudFront distributions are evaluated for a configured default root object that maps / requests to a specific file such as index.html, rather than forwarding root requests directly to the origin.
Risk
Without a default root object, root requests can reveal origin listings or unintended files, exposing data (confidentiality) and aiding reconnaissance. They may also return errors, lowering uptime (availability), or route unpredictably, risking wrong content delivery (integrity).
prowler aws --checks cloudfront_distributions_default_root_object
Recommendation
Set a default root object that returns a safe landing page (e.g., index.html). Apply defense in depth: restrict direct origin access, define explicit error pages, and standardize redirects. Test root and subdirectory requests for predictable responses. Align origin permissions with least privilege.
Remediation
aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add DefaultRootObject: "index.html", then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query "ETag" --output text)'
- Open the AWS Console and go to CloudFront
- Select the target distribution and choose Settings > General > Edit
- In Default root object, enter index.html (do not start with a /)
- Save changes and wait for deployment to complete
Source Code
Resource Type
AwsCloudFrontDistribution
References
- https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/CloudFront/cloudfront-default-object.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html