AWS Security ChangesHomeSearch

AWS securityhub documentation change

Service: securityhub · 2025-10-25 · Documentation low

File: securityhub/latest/userguide/cloudfront-controls.md

Summary

Narrowed scope of CloudFront.1 control to only check distributions with S3 origins (excludes custom origins)

Security assessment

This clarifies the control's applicability but doesn't address a specific vulnerability. The change reduces false positives by excluding custom origins from a security configuration check.

Diff

diff --git a/securityhub/latest/userguide/cloudfront-controls.md b/securityhub/latest/userguide/cloudfront-controls.md
index f156f5fbe..383740db4 100644
--- a//securityhub/latest/userguide/cloudfront-controls.md
+++ b//securityhub/latest/userguide/cloudfront-controls.md
@@ -27 +27 @@ These AWS Security Hub controls evaluate the Amazon CloudFront service and resou
-This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured.
+This control checks whether an Amazon CloudFront distribution with S3 origins is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution uses S3 origins and doesn't have a default root object configured. This control doesn't apply to CloudFront distributions that use custom origins.