MCP: Ensure CloudFront distributions use SNI to serve HTTPS requests

[bwbaker1]

Description

MCP and Tenant have shared responsibility to ensure compliance with the MCP System Security Plan. MCP relies on the AWS security hub service to identify and track compliance with known security standards as discussed in the service documentation.

The CloudFront distributions should use SNI to serve HTTPS requests as per AWS Foundational Security Best Practices.

See Using SNI to Serve HTTPS Requests

Resources non-compliant:

arn:aws:cloudfront::237694371684:distribution/E1COX9APJFTK2X
arn:aws:cloudfront::237694371684:distribution/E26TIGKCB37R81
arn:aws:cloudfront::237694371684:distribution/E2HG14BAFN6FZ5

The OpenSearch domain needs the latest software installed for the following resource:

arn:aws:es:us-west-2:237694371684:domain/api-lambda-prod-v2-osdomain

Acceptance Criteria

• CloudFront configured to use SNI to serve HTTPS requests
• Latest OpenSearch software is installed

[bwbaker1]

@wrynearson Current deadline is August 23, but can probably get this extended if needed.

[wrynearson]

Thanks @bwbaker1. @jjfrench, could you look into this when you have time?

cc @sunu

[jjfrench]

Still waiting for APT AWS access

[wrynearson]

@bwbaker1 we're blocked on production releases until @jjfrench gets access

[wrynearson]

Never mind, @jjfrench now has access

[jjfrench]

Sorry, just now getting time to address this. We just need to add a cert for these CloudFront distributions to use - is there one we should be importing for an already existing domain? i.e. since this routes to https://www.earthdata.nasa.gov/apt/ should we be using the www.earthdata.nasa.gov cert? (wherever that may be)

@ChrisPhillips1024 Do you know the answer to this?

[wrynearson]

@bwbaker1 might know the answer to that, or could tag the person who would.

[jjfrench]

@ChrisPhillips1024 , not sure if editing the comment above notified you - Do you know how we should proceed with applying a cert?

[ChrisPhillips1024]

Sorry, I didn't see the notification to this post. I JUST tracked down the method for generating these certs. I got one set up in the Misc-Prod account for impact.earthdata.nasa.gov for their 3 CFs that require it. The process should be the same for APT if it matches the same domain. Here's the steps that need to be taken to request the Cert in ACM:

In the AWS Console

1. Ensure your Region is set to US-East-1 in ACM for the cert to be visible to the CloudFronts
2. Open a Cert request for your domain (earthdata.nasa.gov)
3. Choose Email Validation
4. There is a field for Validation Domain. Enter "nasa.gov"
   
5. Submit the Cert Request
6. Enter the cert page for the new cert and verify the Registered Owners field is filled with .nasa.gov instead of earthdata.nasa.gov entries and then click "Resend Validation Email" 2 or 3 times.
   
7. Send an email with the Account Number and the Cert ARN to [email protected] and inform them of the cert request they should have received.

If CLI is required:
aws acm request-certificate --domain-name REQUIREDDOMAIN --validation-method EMAIL --region us-east-1
aws acm resend-validation-email --certificate-arn --domain REQUIREDDOMAIN --validation-domain nasa.gov