-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MCP: Ensure CloudFront distributions use SNI to serve HTTPS requests #882
Comments
@wrynearson Current deadline is August 23, but can probably get this extended if needed. |
Still waiting for APT AWS access |
Never mind, @jjfrench now has access |
Sorry, just now getting time to address this. We just need to add a cert for these CloudFront distributions to use - is there one we should be importing for an already existing domain? i.e. since this routes to https://www.earthdata.nasa.gov/apt/ should we be using the www.earthdata.nasa.gov cert? (wherever that may be) @ChrisPhillips1024 Do you know the answer to this? |
@bwbaker1 might know the answer to that, or could tag the person who would. |
@ChrisPhillips1024 , not sure if editing the comment above notified you - Do you know how we should proceed with applying a cert? |
Sorry, I didn't see the notification to this post. I JUST tracked down the method for generating these certs. I got one set up in the Misc-Prod account for impact.earthdata.nasa.gov for their 3 CFs that require it. The process should be the same for APT if it matches the same domain. Here's the steps that need to be taken to request the Cert in ACM: In the AWS Console
If CLI is required: |
Description
MCP and Tenant have shared responsibility to ensure compliance with the MCP System Security Plan. MCP relies on the AWS security hub service to identify and track compliance with known security standards as discussed in the service documentation.
The CloudFront distributions should use SNI to serve HTTPS requests as per AWS Foundational Security Best Practices.
See Using SNI to Serve HTTPS Requests
Resources non-compliant:
arn:aws:cloudfront::237694371684:distribution/E1COX9APJFTK2X
arn:aws:cloudfront::237694371684:distribution/E26TIGKCB37R81
arn:aws:cloudfront::237694371684:distribution/E2HG14BAFN6FZ5
The OpenSearch domain needs the latest software installed for the following resource:
arn:aws:es:us-west-2:237694371684:domain/api-lambda-prod-v2-osdomain
Acceptance Criteria
The text was updated successfully, but these errors were encountered: