Control: CloudFront distributions should use SNI to serve HTTPS requests
Description
This control checks if AWS CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests. This control fails if a custom SSL/TLS certificate is associated but the SSL/TLS support method is a dedicated IP address.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cloudfront_distribution_sni_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cloudfront_distribution_sni_enabled --shareSQL
This control uses a named query:
select arn as resource, case when viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' then 'ok' else 'alarm' end as status, case when viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' then title || ' SNI enabled.' else title || ' SNI disabled.' end as reason , region, account_idfrom aws_cloudfront_distribution;