AWS Config Rule: CloudFront SNI Enabled

CLOUDFRONT_SNI_ENABLED

Ryan Ware

Last Update 5 months ago

Description: Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address


AWS Region: Only available in US East (N. Virginia) Region


Trigger type: Configuration changes


How to Resolve Manually

Most CloudFront distributions will be using SNI, as there is a surcharge to use the "Legacy" method which means CloudFront allocates dedicated IP addresses at each CloudFront edge location to serve your content over HTTPS.


Using SNI to serve HTTPS requests, and it's process, can be adequately explained here in the AWS Documentation.


If you do have a CloudFront Distribution that is non-compliant with this rule, there are two things you must do;


  1. Ensure that your CloudFront Distribution is using a Custom SSL Certificate
  2. Ensure that you do not have the Legacy Clients Support enabled.


Both of these settings can be found within your general settings section when viewing your CloudFront distribution within the CloudFront Security Dashboard.


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us