Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use SNI to Serve HTTPS Requests

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable risk)

Ensure that your Amazon CloudFront distributions are configured to use Server Name Indication (SNI) for serving HTTPS requests in order to follow security best practices and help optimize AWS costs.

This rule can help you work with the AWS Well-Architected Framework.

Security
Reliability

When the communication between the origin server and the CloudFront network is encrypted using HTTPS, Amazon CloudFront offers two options for serving HTTPS requests: Server Name Indication (SNI) and dedicated IP addresses (legacy client support, additional charges apply). If you opt for Server Name Indication (SNI), which is the recommended approach, there won't be a dedicated IP address at the edge location. Instead, the CloudFront service will utilize an alternate domain name to identify the IP address during the SSL/TLS handshake. To ensure both security and cost optimization on AWS cloud, it is recommended to configure your Amazon CloudFront distributions to utilize SNI for serving HTTPS requests.


Audit

To determine if your Amazon CloudFront distributions are configured to use Server Name Indication (SNI), perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions.

04 Click on the ID (link) of the Amazon CloudFront distribution that you want to examine.

05 Select the General tab to access the general settings available for the selected distribution, and choose Edit from the Settings section.

06 On the Edit settings page, check the Enabled checkbox, available under Legacy clients support - $600/month prorated charge applies. Most customers do not need this., to determine if the distribution is using Server Name Indication (SNI) or dedicated IP addresses to serve content over HTTPS. If the Enabled checkbox is selected, your Amazon CloudFront distribution allocates dedicated IP addresses for serving HTTPS requests instead of using Server Name Indication (SNI).

07 Repeat steps no. 4 – 6 for each CloudFront distribution available in your AWS cloud account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon CloudFront distribution created in your AWS cloud account:

aws cloudfront list-distributions
  --output table
  --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested distribution ID(s):

--------------------
|ListDistributions |
+------------------+
|  AAAABBBBCCCCDD  |
|  ABCDABCDABCDAB  |
|  AABBCCDDAABBCC  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the Amazon CloudFront distribution that you want to examine as the identifier parameter and custom query filters to determine the SSL/TLS support method configured for the selected distribution:

aws cloudfront get-distribution
  --region us-east-1
  --id AAAABBBBCCCCDD
  --query 'Distribution.DistributionConfig.ViewerCertificate.SSLSupportMethod'

04 The command output should return the requested configuration information:

"vip"

If the get-distribution command output returns a value different than "sni-only", as shown in the example above, the selected Amazon CloudFront distribution allocates dedicated IP addresses for serving HTTPS requests instead of using Server Name Indication (SNI).

05 Repeat steps no. 3 and 4 for each CloudFront distribution deployed within your AWS cloud account.

Remediation / Resolution

To enable Server Name Indication (SNI) for your existing Amazon CloudFront distributions, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions.

04 Click on the ID (link) of the Amazon CloudFront distribution that you want to configure.

05 Select the General tab to access the general settings available for the selected distribution.

06 Choose Edit from the Settings section to modify the distribution configuration.

07 Ensure that a custom SSL/TLS certificate is selected from the Custom SSL certificate – optional dropdown list.

08 Deselect the Enabled checkbox, available under Legacy clients support - $600/month prorated charge applies. Most customers do not need this. to disable allocating dedicated IP addresses and enable Server Name Indication (SNI).

09 Choose Save changes to apply the configuration changes.

10 Repeat steps no. 4 – 9 for each Amazon CloudFront distribution available in your AWS cloud account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to configure:

aws cloudfront get-distribution-config
  --id ABCDABCDABCDAB
  --query 'DistributionConfig'

02 The command output should return the requested configuration information:

{
	"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "trendmicro.com",
				"DomainName": "trendmicro.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"CustomOriginConfig": {
					"HTTPPort": 80,
					"HTTPSPort": 443,
					"OriginProtocolPolicy": "https-only",
					"OriginSslProtocols": {
						"Quantity": 1,
						"Items": [
							"TLSv1.2"
						]
					},
					"OriginReadTimeout": 30,
					"OriginKeepaliveTimeout": 5
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				}
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "trendmicro.com",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "allow-all",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "",
		"ForwardedValues": {
			"QueryString": false,
			"Cookies": {
				"Forward": "none"
			},
			"Headers": {
				"Quantity": 0
			},
			"QueryStringCacheKeys": {
				"Quantity": 0
			}
		},
		"MinTTL": 0,
		"DefaultTTL": 86400,
		"MaxTTL": 31536000
	},
	"CacheBehaviors": {
		"Quantity": 1,
		"Items": [
			{
				"PathPattern": "/images",
				"TargetOriginId": "trendmicro.com",
				"TrustedSigners": {
					"Enabled": false,
					"Quantity": 0
				},
				"TrustedKeyGroups": {
					"Enabled": false,
					"Quantity": 0
				},
				"ViewerProtocolPolicy": "allow-all",
				"AllowedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					],
					"CachedMethods": {
						"Quantity": 2,
						"Items": [
							"HEAD",
							"GET"
						]
					}
				},
				"SmoothStreaming": false,
				"Compress": true,
				"LambdaFunctionAssociations": {
					"Quantity": 0
				},
				"FunctionAssociations": {
					"Quantity": 0
				},
				"FieldLevelEncryptionId": "",
				"ForwardedValues": {
					"QueryString": false,
					"Cookies": {
						"Forward": "none"
					},
					"Headers": {
						"Quantity": 0
					},
					"QueryStringCacheKeys": {
						"Quantity": 0
					}
				},
				"MinTTL": 0,
				"DefaultTTL": 86400,
				"MaxTTL": 31536000
			}
		]
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": false,
		"IncludeCookies": false,
		"Bucket": "",
		"Prefix": ""
	},
	"PriceClass": "PriceClass_100",
	"Enabled": true,
	"ViewerCertificate": {
		"CloudFrontDefaultCertificate": false,
		"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"SSLSupportMethod": "vip",
		"MinimumProtocolVersion": "TLSv1.2_2021",
		"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"CertificateSource": "acm"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"AliasICPRecordals": [
		{
			"CNAME": "trendmicro.com",
			"ICPRecordalStatus": "APPROVED"
		}
	],
	"WebACLId": "",
	"HttpVersion": "http1.1",
	"IsIPV6Enabled": false
}

03 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. ETag):

aws cloudfront get-distribution-config
  --id ABCDABCDABCDAB
  --query 'ETag'

04 The command output should return the requested information:

"AAAABBBBCCCCD"

05 Modify the configuration document returned at step no. 2 to enable Server Name Indication (SNI) by setting the "SSLSupportMethod" attribute to "sni-only" within the distribution configuration. Save the document with the modified distribution configuration to a JSON file named enable-sni-config.json:

{
	"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "index.html",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "trendmicro.com",
				"DomainName": "trendmicro.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"CustomOriginConfig": {
					"HTTPPort": 80,
					"HTTPSPort": 443,
					"OriginProtocolPolicy": "https-only",
					"OriginSslProtocols": {
						"Quantity": 1,
						"Items": [
							"TLSv1.2"
						]
					},
					"OriginReadTimeout": 30,
					"OriginKeepaliveTimeout": 5
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				}
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "trendmicro.com",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "allow-all",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "",
		"ForwardedValues": {
			"QueryString": false,
			"Cookies": {
				"Forward": "none"
			},
			"Headers": {
				"Quantity": 0
			},
			"QueryStringCacheKeys": {
				"Quantity": 0
			}
		},
		"MinTTL": 0,
		"DefaultTTL": 86400,
		"MaxTTL": 31536000
	},
	"CacheBehaviors": {
		"Quantity": 1,
		"Items": [
			{
				"PathPattern": "/images",
				"TargetOriginId": "trendmicro.com",
				"TrustedSigners": {
					"Enabled": false,
					"Quantity": 0
				},
				"TrustedKeyGroups": {
					"Enabled": false,
					"Quantity": 0
				},
				"ViewerProtocolPolicy": "allow-all",
				"AllowedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					],
					"CachedMethods": {
						"Quantity": 2,
						"Items": [
							"HEAD",
							"GET"
						]
					}
				},
				"SmoothStreaming": false,
				"Compress": true,
				"LambdaFunctionAssociations": {
					"Quantity": 0
				},
				"FunctionAssociations": {
					"Quantity": 0
				},
				"FieldLevelEncryptionId": "",
				"ForwardedValues": {
					"QueryString": false,
					"Cookies": {
						"Forward": "none"
					},
					"Headers": {
						"Quantity": 0
					},
					"QueryStringCacheKeys": {
						"Quantity": 0
					}
				},
				"MinTTL": 0,
				"DefaultTTL": 86400,
				"MaxTTL": 31536000
			}
		]
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": false,
		"IncludeCookies": false,
		"Bucket": "",
		"Prefix": ""
	},
	"PriceClass": "PriceClass_100",
	"Enabled": true,
	"ViewerCertificate": {
		"CloudFrontDefaultCertificate": false,
		"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"SSLSupportMethod": "sni-only",
		"MinimumProtocolVersion": "TLSv1.2_2021",
		"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"CertificateSource": "acm"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"AliasICPRecordals": [
		{
			"CNAME": "trendmicro.com",
			"ICPRecordalStatus": "APPROVED"
		}
	],
	"WebACLId": "",
	"HttpVersion": "http1.1",
	"IsIPV6Enabled": false
}

06 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. enable-sni-config.json) as the new distribution configuration document, to enable Server Name Indication (SNI) for the selected Amazon CloudFront distribution. --if-match parameter represents the current version of the configuration, returned at step no. 4:

aws cloudfront update-distribution
  --id ABCDABCDABCDAB
  --if-match AAAABBBBCCCCD
  --distribution-config file://enable-sni-config.json
  --query 'Distribution.Status'

07 The command output should return the status of the modified CloudFront distribution:

"InProgress"

08 Repeat steps no. 1 – 7 for each Amazon CloudFront distribution deployed within your AWS cloud account.

References

Publication date Aug 31, 2023