I just wanted to say thanks for posting this.
I need to reply to this thread / leave this not here so people don't fall into the same traps that I did.
Let me first define what i call the "index.html" behavior. Any time the web-server automatically adds "index.html" to the request. E.G. url to hXXp://some-s3-hosted-website/thing is actually being re-written on the fly to hXXp://some-s3-hosted-website/thing/index.html
Now, let's talk about cloudfront.
When you use coudfront with S3, you have two options:
1) the "use S3 just like every other webserver" option. When you use this option, you can still access the files inside of your S3 bucket. If you were using cloudfront to force users to HTTPS, they can just go to the http version of the URL that points directly to your bucket / bypassing cloudfront altogether.
In this setup, the index.html behavior is present
2) the "lock people out of the S3 bucket, they must go through cloudfront!" option. When you set up cloudfront to use an S3 Origin instead of "regular web" origin, you can set up IAM policies that say which cloudfront users are allowed to access which files. Additionally, you can also prevent anybody from accessing the bucket content; forcing them to go through cloudfront.
However, in this setup, there is no index.html behavior.
(sorry, the form wont let me post more than 2 links...)