Check provider logo

CloudFront distribution serves HTTPS requests using SNI

cloudfront_distributions_https_sni_enabled

Severitylow
Servicecloudfront
by Prowler
encryption

CloudFront distributions that use custom SSL/TLS certificates are configured to serve HTTPS using Server Name Indication (ssl_support_method: sni-only). It evaluates SNI use rather than dedicated IP during the TLS handshake.

Risk

Without SNI, distributions use dedicated IP SSL, driving higher costs and inefficient IP usage. Dedicated IPs can strain quotas and hinder scaling, reducing availability. Managing IP-bound certificates adds operational risk during rotations and expansions.

Run this check with Prowler CLI

prowler aws --checks cloudfront_distributions_https_sni_enabled

Run in Prowler Cloud

Recommendation

Use SNI (sni-only) for HTTPS with custom certificates; avoid dedicated IP unless a critical, non-SNI client requires it. Document and periodically review exceptions, plan client upgrades, and adopt the latest TLS security policy to standardize secure, modern configurations.

Remediation

CLI

aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to change ViewerCertificate.SslSupportMethod to sni-only', then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query "ETag" --output text)'

Native IaC
Terraform
Other
  1. In the AWS Console, go to CloudFront and open your distribution
  2. Select the Settings/General tab and click Edit
  3. Under SSL certificate, ensure your custom certificate is selected
  4. Set Client support to SNI only
  5. Click Save changes

Source Code

Resource Type

AwsCloudFrontDistribution

References