Ensure ACM only has certificates with single domain names, and none with wildcard domain names
Checks for ACM Certificates with wildcard domain names instead of single domain names. ACM allows you to use wildcards (*) in the domain name, to protect several sites in the same domain. There is a risk with this type of certificate, since if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially compromised. It is recommended to use single domain name certificates instead of wildcard certificates to reduce these associated risks.
Risk Level: Low
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.27
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
AcmCertificate should not have domainValidationOptions contain [ domainName like '%*%' ]
REMEDIATION
From Portal
Replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.
To create a new certificate with a single domain:
- Sign in on the AWS console
- In the console, select the specific region
- Navigate to Certificate Manager
- In 'Request a certificate' page,
- Enter the fully qualified domain name in the 'Fully qualified domain name' box. Ensure it does not contain a wildcard character i.e. *.
- Select the validation method.
- Select an 'Key algorithm' and click on 'Request'. The certificate status should change from 'Pending validation' to 'Issued'.
- Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.
To delete a wildcard certificate:
- Sign in on the AWS console
- In the console, select the specific region
- Navigate to the Certificate Manager(ACM) service
- Select the certificate
- Under 'Actions' drop-down click 'Delete'
- On 'Delete certificate' popup windows, Click 'Delete'
From TF
resource "aws_acm_certificate" "cert" {
domain_name = "example.com"
validation_method = "DNS"
tags = {
Environment = "test"
}
lifecycle {
create_before_destroy = true
}
}
From Command Line
- Replace the wildcard certificate with single domain name. Run below command to request an certificate.
aws acm request-certificate --domain-name example.com --key-algorithm ALGORITHM_TYPE --validation-method METHOD_OF_VALIDATION
- AWS issues the certificate once the new ACM certificate is validated and its status changed to 'Issued'. Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.
References
- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
- https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
- https://docs.aws.amazon.com/acm/latest/userguide/gs.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
- https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
AWS Certificate Manager
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago