Do CloudFront distributions for Appsync APIs need a default root object?

Question

I have an Appsync API that is set up as the origin of a CloudFront distribution (so that we can have a custom domain name, among other things).

This origin is set as the default (*) behaviour for the distribution.

Security Hub complains that it fails [Cloudfront.1] https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1
"CloudFront distributions should have a default root object configured"

But if I add a default root object, it breaks the API. GraphQL POST requests to the domain get rejected with an `UnknownOperationException` error.

My question is, is this security rule relevant for a CF distribution that only has an Appsync origin? Can I just suppress it?

Answer

If certain security hub findings are not relevant in your use cases, you can definitely suppress those type of findings. Follow this [blog post](https://aws.amazon.com/blogs/security/how-to-create-auto-suppression-rules-in-aws-security-hub/), which explains how to create auto suppression rules.

Purpose of this specific rule **CloudFront.1** is to avoid exposure of your web distribution content, if a user requests distribution's root URL instead of an object in the distribution.

Since you have already tried setting up default root object, so you must be already aware of this, but still I'm mentioning here, how to do that just in case nothing is missed:

General Tab > Settings section > Edit > scroll down to Default root object > enter index.html.

Hope you find this useful.

Abhishek

Do CloudFront distributions for Appsync APIs need a default root object?

Relevant content