Ensure ACM only has certificates with single domain names, and none with wildcard domain names

Checks for ACM Certificates with wildcard domain names instead of single domain names. ACM allows you to use wildcards (*) in the domain name, to protect several sites in the same domain. There is a risk with this type of certificate, since if the private key of a certificate is compromised, then all domain and subdomains that use the compromised certificate are potentially compromised. It is recommended to use single domain name certificates instead of wildcard certificates to reduce these associated risks.

Risk Level: Low
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.27
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate should not have domainValidationOptions contain [ domainName like '%*%' ]

REMEDIATION

From Portal
Replace the reported wildcard certificate with single domain name certificate for all the first-level subdomains resulted from the domain name of the website secured with the wildcard certificate and delete the reported wildcard domain certificate.

To create a new certificate with a single domain:

  1. Sign in on the AWS console
  2. In the console, select the specific region
  3. Navigate to Certificate Manager
  4. In 'Request a certificate' page,
  5. Enter the fully qualified domain name in the 'Fully qualified domain name' box. Ensure it does not contain a wildcard character i.e. *.
  6. Select the validation method.
  7. Select an 'Key algorithm' and click on 'Request'. The certificate status should change from 'Pending validation' to 'Issued'.
  8. Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

To delete a wildcard certificate:

  1. Sign in on the AWS console
  2. In the console, select the specific region
  3. Navigate to the Certificate Manager(ACM) service
  4. Select the certificate
  5. Under 'Actions' drop-down click 'Delete'
  6. On 'Delete certificate' popup windows, Click 'Delete'

From TF

resource "aws_acm_certificate" "cert" {
	domain_name       = "example.com"
	validation_method = "DNS"
	
	tags = {
		Environment = "test"
	}
	
	lifecycle {
		create_before_destroy = true
	}
}

From Command Line

  1. Replace the wildcard certificate with single domain name. Run below command to request an certificate.
aws acm request-certificate --domain-name example.com --key-algorithm ALGORITHM_TYPE --validation-method METHOD_OF_VALIDATION
  1. AWS issues the certificate once the new ACM certificate is validated and its status changed to 'Issued'. Now access your application's web server configuration and replace the wildcard certificate with the newly issued single domain name certificate.

References

  1. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html
  2. https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html
  3. https://docs.aws.amazon.com/acm/latest/userguide/gs.html
  4. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
  5. https://docs.aws.amazon.com/cli/latest/reference/acm/request-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5