AWS Config Rule: CloudFront SNI Enabled
CLOUDFRONT_SNI_ENABLED
Ryan Ware
Last Update 5 months ago
Description: Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address
AWS Region: Only available in US East (N. Virginia) Region
Trigger type: Configuration changes
How to Resolve Manually
Most CloudFront distributions will be using SNI, as there is a surcharge to use the "Legacy" method which means CloudFront allocates dedicated IP addresses at each CloudFront edge location to serve your content over HTTPS.
Using SNI to serve HTTPS requests, and it's process, can be adequately explained here in the AWS Documentation.
If you do have a CloudFront Distribution that is non-compliant with this rule, there are two things you must do;
- Ensure that your CloudFront Distribution is using a Custom SSL Certificate
- Ensure that you do not have the Legacy Clients Support enabled.
Both of these settings can be found within your general settings section when viewing your CloudFront distribution within the CloudFront Security Dashboard.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here