2

I am trying to add all the required AWS console sites to IE trusted Sites so our Servers can access the AWS Console. I have added all the other AWS domains with wildcards via GPO/Registry settings but the registry setting for https://*.cloudfront.net does not work. When I try to manually enter it into IE I get the pattern is not accepted error.

I have tried on Windows 10 (IE version 11.557.17763), Windows Server 2016 (IE version 11.557.17763, Server 2012 R2 (IE Version 11.0.9600.19301).

If I change a letter around it works. example https://*.cloudfron.net and https://*.cloudfronts.net work.

I have also tried on a different domain and it also did not work.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
rickbond
  • 53
  • 4

2 Answers2

2

IE is protecting you from a dangerous misconfiguration.

It isn't appropriate to add https://*.cloudfront.net to trusted sites, just as it would not be appropriate to add https://*.com to trusted sites. The problem with trusting all of *.com is obvious enough, but why CloudFront?

The reason is because anyone can have a *.cloudfront.net subdomain. CloudFront is a service that is used by AWS customers, in addition to being used by the AWS console and even the amazon.com retail site.

But how does IE know this specific domain should be restricted? It appears to be this:

IE on the Windows 10 Technical Preview switches the parsing of domain names to use the algorithms and domain list found at http://publicsuffix.org.

https://blogs.msdn.microsoft.com/ie/2014/10/01/internet-explorer-and-the-windows-10-technical-preview/

Presumably this is still true. And, you will observe that cloudfront.net is indeed on the public suffix list. (On the public suffix list, the absence of * wildcards does not mean what you might assume, so the fact that the list includes cloudfront.net but not *.cloudfront.net is not significant, here.)

Unfortunately, it appears that you will need to identify the specific CloudFront subdomains to trust, and configure them individually.

See also https://blogs.msdn.microsoft.com/ieinternals/2009/09/18/understanding-domain-names-in-internet-explorer/

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • The reason he mentioned of using *.cloudfront.net is because console.aws.amazon.com uses direct dxxxxx.cloudfront.net links to load some js/css and aws isn't going to tell the fix domains or they may change. – James Dean Jun 22 '19 at 18:27
  • @JamesDean yes, that is mentioned in the original question and echoed in what I wrote: *"CloudFront is a service that is used by AWS customers,* **in addition to being used by the AWS console** *and even the amazon.com retail site."* The specific subdomains used by the console will need to be trusted, not the whole domain... and updated if they change. It's unfortunate that the console uses direct links to system-assigned CloudFront hostnames. – Michael - sqlbot Jun 22 '19 at 18:31
  • Thank you for sharing that information with me. I did google search first put did not find that. – rickbond Jun 23 '19 at 12:26
0

Turning off Enhanced Security Configuration fixes the issue as well.

kdark
  • 1