Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key. An AWS ACM wildcard certificate matches any first level subdomain or hostname in a domain. For example, a wildcard certificate issued for *.cloudconformity.com can protect both www.cloudconformity.com and images.cloudconformity.com.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When wildcard certificates are in use, if the private key of a certificate is hacked, then all sites (domain and subdomains) that use the compromised certificate are potentially impacted. The risk of hacking is even higher when the wildcard certificates are imported to AWS ACM as the customer holds an unencrypted copy of the certificate's private key on his device(s). Cloud Conformity recommends using single domain name certificates instead of wildcard certificates to reduce the risks associated with a compromised domain/subdomain.
To determine if there are any issued Amazon Certificate Manager wildcard certificates available in you AWS account, perform the following:
Remediation / Resolution
To issue a single domain name certificate for each first-level subdomain developed using Amazon Certificate Manager (ACM) service, perform the following actions:
- AWS Documentation
- AWS Certificate Manager FAQs
- What Is AWS Certificate Manager?
- ACM Certificate Characteristics
- Request a Certificate
- Use DNS to Validate Domain Ownership
- Use Email to Validate Domain Ownership
- Importing Certificates into AWS Certificate Manager
- Manage ACM Certificates
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
You are auditing:
AWS ACM Certificates with Wildcard Domain Names
Risk level: Low