aws-codedeploy-agent icon indicating copy to clipboard operation
aws-codedeploy-agent copied to clipboard

Published 20 hours ago verified publisher icon aws

Some request missing SNI field

Open nwesoccer opened this issue 9 months ago • 2 comments

We are trying to implement a whitelist for AWS Network Firewall for Egress filtering. A majority of the requests coming from CodeDeploy agent do properly have SNI such that Surricata rules can use tls.sni to filter and whitelist the requests. However, there are many requests to codedeploy-commands.{region}.amazonaws.com that do not contain tls.sni field during ssl hello. We were hoping to keep all aws traffic internal, but it doesn't seem like codedeploy has a vpc endpoint option.

My uneducated guess is that some one off request, maybe the validation of the certificate(?), is not utilizing SNI.

nwesoccer avatar May 07 '24 18:05 nwesoccer