Description:

CloudFront SNI checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is using a dedicated IP address.

Rationale:

The SSL/TLS negotiation occurs early in the process of establishing an HTTPS connection. If CloudFront can't immediately determine which domain the request is for, it drops the connection

Impact:

 If you configure CloudFront to serve HTTPS requests using SNI, CloudFront associates your alternate domain name with an IP address for each edge location. 


Default:

The default value is 2. Keep in mind you cannot bind more than one SSL certificate to a distribution. You can only associate a single SSL/TLS certificate to a CloudFront distribution at a time. This number is for the total number of dedicated IP SSL certificates you can use across all of your CloudFront distributions.


Pre-Requisites:

Check the type of the security policy used by other CloudFront distributions available in your AWS account.

Remediation:

Test plan:

  1. Sign in to AWS Management Console.

  2. Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

  3. Select Distributions on the left navigation pane

  4. Select the web distribution that you want to examine.

  5. Click on the General tab scroll down to find settings in that find security policy 

  6. If Security Policy is currently set to TLSv1 or TLSv1_2016 protocol, the selected Amazon Cloudfront distribution is not using an improved security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version, therefore the current configuration is vulnerable to exploits.


Using AWS CLI: 

aws cloudfront get-distribution
--id E3RX0DT0Y3MUMZ
--query 'Distribution.DistributionConfig.ViewerCertificate.MinimumProtocolVersion'
  • If you find output as "MinimumProtocolVersion": "TLSv1",
  • Then follow the implementation steps

Implementation Steps:

  1. Sign in to AWS Management Console.

  2. Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

  3. Select Distributions on the left navigation pane

  4. Select the web distribution that you want to examine.

  5. Click on the General tab scroll down to find settings, click on Edit 

  6. Scroll down and Select the latest version recommended SSL/TLS 

  7. Click on Save Changes

Using AWS CLI: 

Modify the configuration information returned at the previous step to implement TLSv1.1 as the minimum protocol version for the selected distribution. Replace "MinimumProtocolVersion" attribute current value with "TLSv1.1_2021 (recommended) or "TLSv1.2_2019" and save the new configuration in a JSON document named distconfig-improved-security-policy.json:

{
"ETag": "DX2YDEJ94HDYGD",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": true,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},

...

"ViewerCertificate": {
"SSLSupportMethod": "sni-only",
"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1fd6-4f13-ac04-aaabbbcccddd",
"MinimumProtocolVersion": "TLSv1.1_2016",
"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1ec4-4f23-a32e-aaabbbcccddd",
"CertificateSource": "acm"
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
}
}

Run update-distribution command 

aws cloudfront update-distribution
--id E3RX0DT0Y3MUMZ
--distribution-config file://distconfig-improved-security-policy.json
--if-match DX2YDEJ94HDYGD

Backout Plan:

  1. Follow the steps in implementation upto 6th step then

  2. changes the SSL/TLS as you want and click on save changes 

Note: that the SSL / TLS is better to be the latest version a recommended 

References: 

CloudFront — AWS CLI 1.22.80 Command Reference 

Requirements for using SSL/TLS certificates with CloudFront - Amazon CloudFront