Some request missing SNI field

[nwesoccer]

We are trying to implement a whitelist for AWS Network Firewall for Egress filtering. A majority of the requests coming from CodeDeploy agent do properly have SNI such that Surricata rules can use tls.sni to filter and whitelist the requests. However, there are many requests to codedeploy-commands.{region}.amazonaws.com that do not contain tls.sni field during ssl hello. We were hoping to keep all aws traffic internal, but it doesn't seem like codedeploy has a vpc endpoint option.

My uneducated guess is that some one off request, maybe the validation of the certificate(?), is not utilizing SNI.

[mwjones-aws]

We were hoping to keep all aws traffic internal, but it doesn't seem like codedeploy has a vpc endpoint option.

You can configure CodeDeploy agent to use a VPC endpoint. docs

com.amazonaws.region.codedeploy-commands-secure: Choose this option if you want to create a VPC endpoint for CodeDeploy agent operations. You will also need to set :enable_auth_policy: to true in your agent configuration file and attach the required permissions. For more information, see Configure the CodeDeploy agent and IAM permissions.

[nwesoccer]

@mwjones-aws You are correct, but only for commercial regions. Unfortunately the GovCloud regions do not have the codedeploy vpc endpoints.

Maybe my request should then be to support those endpoints in GovCloud.