Do CloudFront distributions for Appsync APIs need a default root object?

0

I have an Appsync API that is set up as the origin of a CloudFront distribution (so that we can have a custom domain name, among other things).

This origin is set as the default (*) behaviour for the distribution.

Security Hub complains that it fails [Cloudfront.1] https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-1 "CloudFront distributions should have a default root object configured"

But if I add a default root object, it breaks the API. GraphQL POST requests to the domain get rejected with an UnknownOperationException error.

My question is, is this security rule relevant for a CF distribution that only has an Appsync origin? Can I just suppress it?

1 個回答
0

If certain security hub findings are not relevant in your use cases, you can definitely suppress those type of findings. Follow this blog post, which explains how to create auto suppression rules.

Purpose of this specific rule CloudFront.1 is to avoid exposure of your web distribution content, if a user requests distribution's root URL instead of an object in the distribution.

Since you have already tried setting up default root object, so you must be already aware of this, but still I'm mentioning here, how to do that just in case nothing is missed:

       General Tab > Settings section > Edit > scroll down to Default root object > enter index.html.

Hope you find this useful.

Abhishek

profile pictureAWS
專家
已回答 9 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南