CloudFront distributions should use SNI to serve HTTPS requests

Description

This check examines whether Amazon CloudFront distributions are using a custom SSL/TLS certificate and have been set up to use Server Name Indication (SNI) for processing HTTPS requests. This check fails when a custom SSL/TLS certificate is linked, but the SSL/TLS support method involves a dedicated IP address.

Server Name Indication (SNI) serves as an extension to the TLS protocol that is compatible with browsers and clients released post-2010. If you opt to configure CloudFront to handle HTTPS requests through SNI, CloudFront associates your alternate domain name with an IP address specific to each edge location. After a viewer initiates an HTTPS request for your content, DNS directs the request to the applicable IP address for the correct edge location. The mapping of the IP address to your domain name is determined during the SSL/TLS handshake negotiation, without the IP address being exclusive to your distribution.

Remediation

For instructions on setting up a CloudFront distribution to use Server Name Indication (SNI) for handling HTTPS requests, refer to Using SNI to Serve HTTPS Requests in the CloudFront Developer Guide.