Risk Level: Low
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.NET.43
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

CloudFront should not have distributionConfig.viewerCertificate.certificateSource like '%cloudfront%'

REMEDIATION

From Portal

Sign in to the AWS console
Select the region, from the region drop-down, in which the issue is generated
Navigate to CloudFront Distributions Dashboard
Click the reported distribution
On the 'General' tab, click the 'Edit' button
On 'Edit Distribution' page set 'SSL Certificate' to 'Custom SSL Certificate (example.com):', select a certificate or type your certificate ARN in the field and other parameters as per your requirement.
Click 'Save changes'

From TF

resource "aws_cloudfront_distribution" "example1" {
	viewer_certificate {
		...
		acm_certificate_arn = "aws_acm_certificate_arn"
		...
	}
}

References

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset