- Más nuevo
- Más votos
- Más comentarios
Hello.
- Am I correct in stating that, in the examples above, since the Default (*) behaviour does not point to an S3 Origin, the Security Hub finding can be 'suppressed' since not having a default root object in those two cases do not pose a security risk ?
Configure CloudFront's default root object using the steps in the following document.
I don't think this has anything to do with whether the behavior points to the S3 origin.
I believe that if you configure the settings in the document below, Security Hub detection will be successful.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DefaultRootObject.html
- If I am wrong and always having a root object is best practice, how would you remediate the distributions above given as example ? Because if I define a default root object for the second distribution above, all my API requests sent to my root URL will go to https://mydomain.com/myrootobject.html instead of going to https://mydomain.com/
In the case of ELB, I think you should set the content of the document root such as EC2 in the target group.
In the case of API Gateway, I think it's a good idea to set the route you want to respond to when accessed with "/".
- Is the statement of "Under any of the following conditions" from the AWS documentation not accurate then or am I missing something ? Why can't I access the contents of the S3 bucket when using the root URL ?
In my environment, I can access index.html set as the default root object by specifying the URL.
Also, is CloudFront's default root object set correctly?
https://yyyyyyy.cloudfront.net/index.html
- Is it still highly recommended to define a default root object on the CloudFront distribution given the configuration of our S3 bucket ? Because if we define a root object for this distribution, we would have to define and maintain all the path patterns that we require, which we probably wouldn't want to do if there is no security risk in our case.
I think setting a default root object helps prevent unexpected content from being displayed.
For example, if the origin is S3, I think that a mistake in the bucket policy settings could cause all objects to be displayed.
I think the settings are effective to prevent such situations.
Basically, I don't think there is any problem even if you don't control it with CloudFront as long as it can be controlled on the origin side.
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años