Ensure AWS CloudFront web distributions use custom (and not default) SSL certificates

Custom SSL certificates give you full control over your CloudFront content. Custom certificates allow your users to access content by using alternate domain name. You can store custom certificates in AWS Certificate Manager (ACM) or in IAM. It recommended to use custom SSL Certificate to access CloudFront content to have more control over your data.

Risk Level: Low
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.NET.43
Covered by Spectral: Yes
Category: Networking & Content Delivery


CloudFront should not have distributionConfig.viewerCertificate.certificateSource like '%cloudfront%'


From Portal

  1. Sign in to the AWS console
  2. Select the region, from the region drop-down, in which the issue is generated
  3. Navigate to CloudFront Distributions Dashboard
  4. Click the reported distribution
  5. On the 'General' tab, click the 'Edit' button
  6. On 'Edit Distribution' page set 'SSL Certificate' to 'Custom SSL Certificate (example.com):', select a certificate or type your certificate ARN in the field and other parameters as per your requirement.
  7. Click 'Save changes'

From TF

resource "aws_cloudfront_distribution" "example1" {
	viewer_certificate {
		acm_certificate_arn = "aws_acm_certificate_arn"


  1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html#using-https-viewers-to-cloudfront-procedure
  2. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowToUpdateDistribution.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset