Check provider logo

Check if CloudFront distributions are using SNI to serve HTTPS requests.

cloudfront_distributions_https_sni_enabled

Severitylow
Servicecloudfront
by Prowler
encryption

Check if CloudFront distributions are using SNI to serve HTTPS requests.

Risk

If SNI is not used, CloudFront will allocate a dedicated IP address for each SSL certificate, leading to higher costs and inefficient IP address utilization. This could also complicate scaling and managing multiple distributions, especially if your domain requires multiple SSL certificates.

Run this check with Prowler CLI

prowler aws --checks cloudfront_distributions_https_sni_enabled

Run in Prowler Cloud
ARN template
arn:partition:cloudfront:region:account-id:distribution/resource-id

Recommendation

Ensure that your CloudFront distributions are configured to use Server Name Indication (SNI) when serving HTTPS requests with custom SSL/TLS certificates. This is the recommended approach for reducing costs and optimizing IP address usage.

Remediation

Terraform

https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-sni.html

Other

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-8

Source Code

Resource Type

AwsCloudFrontDistribution

References