In cloudfront lecture, it’s stated that one needs to use SNI if a custom wildcard SSL cert is used. I am a bit confused with this statement as i think SNI is unnecessary in this situation since wildcard cert is valid for any of my hosts. So long as they all shared the same parent domain.
SNI is required for any cert that you want to put in front of CloudFront unless you opt for the static IP deployment. The reason is that the CloudFront systems have their own DNS names, usually something like hfdushoewifeofh.cloudfront.net, and your domain is really just CNAMEed to that CloudFront domain. Thus, it would not validate against your mydomain.com certificate. Hence, SNI is needed to permit that certificate to work with multiple domain names.
If in doubt, try it out by creating a CloudFront deployment for some S3 docs and use ACM to create some certs….try it with and without SNI.