CloudFront default objects are configured separately from S3 index documents

I recently helped someone set up a static site hosted on Amazon S3 with Amazon CloudFront as an SSL terminator. S3 buckets have an option for the index document (the page served when someone visits the root of the website). We set that, but found that going to the site's root produced an Access Denied error page, but going directly to a specific page worked. The CloudFront distribution apparently has a setting for default object which we had not set; CloudFront doesn't consult the S3 index document setting.