Profile Applicability: 

Level 2

Description

Server Name Indication (SNI) is an extension to the TLS protocol that allows multiple SSL/TLS certificates to be associated with a single IP address. This enables CloudFront to serve HTTPS requests for multiple domains using a single IP address, improving efficiency and reducing costs.

Rationale

  • Cost Efficiency: Reduces the need for dedicated IP addresses, lowering costs.

  • Improved Performance: Enhances performance by allowing multiple domains to share a single IP address.

  • Enhanced Security: Ensures secure communication between users and CloudFront distributions.

Impact

Pros:

  • Reduces costs by eliminating the need for dedicated IP addresses.

  • Improves performance by allowing multiple domains to share a single IP address.

  • Enhances security by ensuring encrypted communication.

Cons:

  • May not be supported by very old browsers and clients.

  • Requires additional configuration and verification.

Default Value

By default, CloudFront distributions use SNI to serve HTTPS requests. This must be explicitly verified and configured if necessary.

Pre-Requisite

IAM Permissions:

  • cloudfront:GetDistribution

  • cloudfront:UpdateDistribution

  • AWS CLI installed and configured.

Remediation

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to audit.

  5. Click on the General tab in the top menu.

  6. Check if SNI is enabled for serving HTTPS requests.

Using AWS CLI:

Check SNI Status:

aws cloudfront get-distribution --id <distribution-id> --query 'Distribution.DistributionConfig.ViewerCertificate'

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to modify.

  5. Click on the General tab in the top menu.

  6. Click Edit to modify the distribution settings.

  7. Ensure that SNI is enabled for serving HTTPS requests.

  8. Click Save changes to save the changes.

Using AWS CLI:

Enable SNI for serving HTTPS requests:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-sni.json

Backout Plan

If enabling SNI causes issues: Using AWS Console:

  1. Navigate to the CloudFront Dashboard.

  2. Select the Distribution.

  3. Click Edit Attributes.

  4. Revert to the previous configuration.

  5. Click Save changes to save the changes.

Using AWS CLI:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-original.json


References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.