Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key. An AWS ACM wildcard certificate matches any first level subdomain or hostname in a domain. For example, a wildcard certificate issued for *.cloudconformity.com can protect both www.cloudconformity.com and images.cloudconformity.com.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
excellence
When wildcard certificates are in use, if the private key of a certificate is hacked, then all sites (domain and subdomains) that use the compromised certificate are potentially impacted. The risk of hacking is even higher when the wildcard certificates are imported to AWS ACM as the customer holds an unencrypted copy of the certificate's private key on his device(s). Cloud Conformity recommends using single domain name certificates instead of wildcard certificates to reduce the risks associated with a compromised domain/subdomain.
Audit
To determine if there are any issued Amazon Certificate Manager wildcard certificates available in you AWS account, perform the following:
Remediation / Resolution
To issue a single domain name certificate for each first-level subdomain developed using Amazon Certificate Manager (ACM) service, perform the following actions:
References
- AWS Documentation
- AWS Certificate Manager FAQs
- What Is AWS Certificate Manager?
- Concepts
- ACM Certificate Characteristics
- Request a Certificate
- Use DNS to Validate Domain Ownership
- Use Email to Validate Domain Ownership
- Importing Certificates into AWS Certificate Manager
- Manage ACM Certificates
- AWS Command Line Interface (CLI) Documentation
- acm
- list-certificates
- describe-certificate
- request-certificate