I am trying to add all the required AWS console sites to IE trusted Sites so our Servers can access the AWS Console.
I have added all the other AWS domains with wildcards via GPO/Registry settings but the registry setting for https://*.cloudfront.net does not work.
When I try to manually enter it into IE I get the pattern is not accepted error.
I have tried on Windows 10 (IE version 11.557.17763), Windows Server 2016 (IE version 11.557.17763, Server 2012 R2 (IE Version 11.0.9600.19301).
If I change a letter around it works. example https://*.cloudfron.net and https://*.cloudfronts.net work.
I have also tried on a different domain and it also did not work.
IE is protecting you from a dangerous misconfiguration.
It isn't appropriate to add
https://*.cloudfront.netto trusted sites, just as it would not be appropriate to addhttps://*.comto trusted sites. The problem with trusting all of*.comis obvious enough, but why CloudFront?The reason is because anyone can have a
*.cloudfront.netsubdomain. CloudFront is a service that is used by AWS customers, in addition to being used by the AWS console and even the amazon.com retail site.But how does IE know this specific domain should be restricted? It appears to be this:
Presumably this is still true. And, you will observe that
cloudfront.netis indeed on the public suffix list. (On the public suffix list, the absence of*wildcards does not mean what you might assume, so the fact that the list includescloudfront.netbut not*.cloudfront.netis not significant, here.)Unfortunately, it appears that you will need to identify the specific CloudFront subdomains to trust, and configure them individually.
See also https://blogs.msdn.microsoft.com/ieinternals/2009/09/18/understanding-domain-names-in-internet-explorer/