Data protection

CloudFront distributions should use SNI to serve HTTPS requests

Description

Amazon CloudFront is a high-performance content delivery network (CDN) service that securely delivers data, videos, apps, and APIs to customers around the world with low latency and high transfer speeds. Server Name Indication (SNI) is an extension to the TLS protocol that is supported by browsers and clients released after 2010. If you configure CloudFront to serve HTTPS requests using SNI, CloudFront associates your alternate domain name with an IP address for each edge location. When a viewer submits an HTTPS request for your content, DNS routes the request to the IP address for the correct edge location. The IP address to your domain name is determined during the SSL/TLS handshake negotiation; the IP address isn't dedicated to your distribution. It was detected that CloudFront Distribution '{AwsCloudFront}' uses a custom SSL/TLS certificate but the SSL/TLS supported method is a dedicated IP address. More information can be found here https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html#cnames-https-sni
  • Recommended Mitigation

    It is recommended to configure CloudFront distributions to use SNI to serve HTTPS requests.