Rule: CloudFront distributions should use SNI for HTTPS requests
This rule ensures using SNI for HTTPS requests in CloudFront distributions.
| Rule | CloudFront distributions should use SNI to serve HTTPS requests |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Low |
Rule Description:
CloudFront distributions should use Server Name Indication (SNI) to serve HTTPS requests for AWS Foundational Security Best Practices. SNI allows multiple domains to be served over HTTPS on a single IP address, which improves efficiency and reduces costs.
HTTPS provides a secure connection between the client and the web server, ensuring that data transmitted over the network is encrypted and cannot be easily intercepted or tampered with. By implementing SNI, CloudFront distributions can support multiple secure domains without the need for dedicated IP addresses for each domain.
Troubleshooting Steps:
If the CloudFront distribution is not using SNI to serve HTTPS requests, you may encounter the following issues:
- 1.Incompatibility with older web browsers or clients that do not support SNI.
- 2.SSL certificate errors or warnings when accessing the website.
- 3.Incorrect or insecure SSL configuration.
To troubleshoot these issues, follow these steps:
- 1.
Verify that your CloudFront distribution is using SNI for HTTPS requests. You can check this in the CloudFront console or using the AWS Command Line Interface (CLI).
- 2.
Ensure that your SSL certificates are valid and correctly configured for the domains served by the CloudFront distribution. Check the certificate chain and ensure that it is trusted by popular web browsers.
- 3.
Test the website using different web browsers and devices to ensure compatibility with older clients that may not support SNI.
- 4.
If you encounter SSL certificate errors or warnings, review the SSL certificate configuration and make any necessary updates to resolve the issues.
- 5.
If none of the above steps resolve the problem, reach out to AWS Support for further assistance.
Necessary Codes:
No specific codes are needed for enabling SNI on CloudFront distributions. It is a configuration setting that can be enabled through the AWS Management Console or using the AWS CLI.
Step-by-step Guide for Configuration:
Follow these steps to enable SNI on a CloudFront distribution:
- 1.
Open the AWS Management Console and navigate to the CloudFront service.
- 2.
Select the CloudFront distribution for which you want to enable SNI.
- 3.
Click on the "Behaviors" tab.
- 4.
Edit the behavior for which you want to enable SNI.
- 5.
Under the "Viewer Protocol Policy" section, select "Redirect HTTP to HTTPS" or "HTTPS Only".
- 6.
Save the changes and wait for the CloudFront distribution to update.
Once the CloudFront distribution is updated with SNI enabled, it will serve HTTPS requests for the specified behavior using SNI. It is recommended to test the website thoroughly after making this configuration change to ensure everything is functioning as expected.
Note:
Enabling SNI for CloudFront distributions improves efficiency and reduces costs by allowing multiple domains to be served over HTTPS on a single IP address. However, it is essential to ensure that your SSL certificates are properly configured and trusted by popular web browsers to avoid compatibility issues. Regularly monitor and update your SSL certificates to maintain the required security level.