Use Custom SSL/TLS Certificates

Risk Level: Medium (should be achieved)

Ensure that your Amazon CloudFront distributions are configured to use a custom SSL/TLS certificate instead of the default one. This will allow you to use your own domain names instead of the CloudFront domain name (i.e. .cloudfront.net), ensuring secure communication over HTTPS with a personalized certificate.

This rule can help you work with the AWS Well-Architected Framework.

Security

To enable encrypt the communication between your CloudFront distribution and content viewers, an SSL/TLS certificate is required. By default, Amazon CloudFront provides an SSL/TLS certificate for distributions with domain names that end with .cloudfront.net. However, to enable your content viewers to access your content using HTTPS with your own domain names in the object URLs instead of using .cloudfront.net, you must replace the default SSL/TLS certificate with a custom one. Implementing a custom SSL/TLS certificate for your Amazon CloudFront distribution involves requesting or importing the certificate from Amazon Certificate Manager (ACM). This allows you to securely serve content with your specified domain names and ensure a seamless HTTPS experience for your content viewers.

Audit

To determine if your Amazon CloudFront distributions are configured to use a custom SSL/TLS certificate, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions.

04 Click on the ID (link) of the Amazon CloudFront distribution that you want to examine.

05 Select the General tab to access the general settings available for the selected distribution, and choose Edit from the Settings section.

06 On the Edit settings page, check the Custom SSL certificate - optional setting value to determine if the distribution is using a custom SSL/TLS certificate. If there is no certificate selected for Custom SSL certificate - optional, the selected Amazon CloudFront distribution is not configured to use a custom SSL/TLS certificate.

07 Repeat steps no. 4 – 6 for each CloudFront distribution available in your AWS cloud account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon CloudFront distribution created in your AWS cloud account:

aws cloudfront list-distributions
  --output table
  --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested distribution ID(s):

--------------------
|ListDistributions |
+------------------+
|  AAAABBBBCCCCDD  |
|  ABCDABCDABCDAB  |
|  AABBCCDDAABBCC  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the Amazon CloudFront distribution that you want to examine as the identifier parameter and custom query filters to determine the type of the SSL/TLS certificate configured for the selected distribution:

aws cloudfront get-distribution
  --region us-east-1
  --id AAAABBBBCCCCDD
  --query 'Distribution.DistributionConfig.ViewerCertificate.CloudFrontDefaultCertificate'

04 The command output should return the default certificate status (**true** for enabled, **false** for disabled):

true

If the get-distribution command output returns true, as shown in the example above, the selected Amazon CloudFront distribution is configured to use the default SSL/TLS certificate instead of a custom one.

05 Repeat steps no. 3 and 4 for each CloudFront distribution deployed within your AWS cloud account.

Remediation / Resolution

To configure a custom SSL/TLS certificate for your existing Amazon CloudFront distributions, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions.

04 Click on the ID (link) of the Amazon CloudFront distribution that you want to configure.

05 Select the General tab to access the general settings available for the selected distribution.

06 Choose Edit from the Settings section to modify the distribution configuration.

07 Ensure that your custom domain name is added to the Alternate domain name (CNAME) - optional list.

08 Select the custom SSL/TLS certificate that you want to use for your custom domain name from the Custom SSL certificate – optional dropdown list. You can also choose Request certificate to request or import a custom SSL/TLS certificate from Amazon Certificate Manager (ACM).

09 For Security policy, choose the latest (recommended) TLS security group provided by Amazon CloudFront.

10 Choose Save changes to apply the configuration changes.

11 Repeat steps no. 4 – 10 for each Amazon CloudFront distribution available in your AWS cloud account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to configure:

aws cloudfront get-distribution-config
  --id ABCDABCDABCDAB
  --query 'DistributionConfig'

02 The command output should return the requested configuration information:

{
	"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "trendmicro.com",
				"DomainName": "trendmicro.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"CustomOriginConfig": {
					"HTTPPort": 80,
					"HTTPSPort": 443,
					"OriginProtocolPolicy": "https-only",
					"OriginSslProtocols": {
						"Quantity": 1,
						"Items": [
							"TLSv1.2"
						]
					},
					"OriginReadTimeout": 30,
					"OriginKeepaliveTimeout": 5
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				}
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "trendmicro.com",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "allow-all",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "",
		"ForwardedValues": {
			"QueryString": false,
			"Cookies": {
				"Forward": "none"
			},
			"Headers": {
				"Quantity": 0
			},
			"QueryStringCacheKeys": {
				"Quantity": 0
			}
		},
		"MinTTL": 0,
		"DefaultTTL": 86400,
		"MaxTTL": 31536000
	},
	"CacheBehaviors": {
		"Quantity": 1,
		"Items": [
			{
				"PathPattern": "/images",
				"TargetOriginId": "trendmicro.com",
				"TrustedSigners": {
					"Enabled": false,
					"Quantity": 0
				},
				"TrustedKeyGroups": {
					"Enabled": false,
					"Quantity": 0
				},
				"ViewerProtocolPolicy": "allow-all",
				"AllowedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					],
					"CachedMethods": {
						"Quantity": 2,
						"Items": [
							"HEAD",
							"GET"
						]
					}
				},
				"SmoothStreaming": false,
				"Compress": true,
				"LambdaFunctionAssociations": {
					"Quantity": 0
				},
				"FunctionAssociations": {
					"Quantity": 0
				},
				"FieldLevelEncryptionId": "",
				"ForwardedValues": {
					"QueryString": false,
					"Cookies": {
						"Forward": "none"
					},
					"Headers": {
						"Quantity": 0
					},
					"QueryStringCacheKeys": {
						"Quantity": 0
					}
				},
				"MinTTL": 0,
				"DefaultTTL": 86400,
				"MaxTTL": 31536000
			}
		]
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": false,
		"IncludeCookies": false,
		"Bucket": "",
		"Prefix": ""
	},
	"PriceClass": "PriceClass_100",
	"Enabled": true,
	"ViewerCertificate": {
		"CloudFrontDefaultCertificate": true,
		"MinimumProtocolVersion": "TLSv1",
		"CertificateSource": "cloudfront"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"AliasICPRecordals": [
		{
			"CNAME": "trendmicro.com",
			"ICPRecordalStatus": "APPROVED"
		}
	],
	"WebACLId": "",
	"HttpVersion": "http1.1",
	"IsIPV6Enabled": false
}

03 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. ETag):

aws cloudfront get-distribution-config
  --id ABCDABCDABCDAB
  --query 'ETag'

04 The command output should return the requested information:

"AAAABBBBCCCCD"

05 Modify the configuration document returned at step no. 2 to add your custom SSL/TLS certificate to the distribution configuration. Save the document with the modified distribution configuration to a JSON file named custom-tls-certificate.json:

{
	"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "index.html",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "trendmicro.com",
				"DomainName": "trendmicro.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"CustomOriginConfig": {
					"HTTPPort": 80,
					"HTTPSPort": 443,
					"OriginProtocolPolicy": "https-only",
					"OriginSslProtocols": {
						"Quantity": 1,
						"Items": [
							"TLSv1.2"
						]
					},
					"OriginReadTimeout": 30,
					"OriginKeepaliveTimeout": 5
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				}
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "trendmicro.com",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "allow-all",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "",
		"ForwardedValues": {
			"QueryString": false,
			"Cookies": {
				"Forward": "none"
			},
			"Headers": {
				"Quantity": 0
			},
			"QueryStringCacheKeys": {
				"Quantity": 0
			}
		},
		"MinTTL": 0,
		"DefaultTTL": 86400,
		"MaxTTL": 31536000
	},
	"CacheBehaviors": {
		"Quantity": 1,
		"Items": [
			{
				"PathPattern": "/images",
				"TargetOriginId": "trendmicro.com",
				"TrustedSigners": {
					"Enabled": false,
					"Quantity": 0
				},
				"TrustedKeyGroups": {
					"Enabled": false,
					"Quantity": 0
				},
				"ViewerProtocolPolicy": "allow-all",
				"AllowedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					],
					"CachedMethods": {
						"Quantity": 2,
						"Items": [
							"HEAD",
							"GET"
						]
					}
				},
				"SmoothStreaming": false,
				"Compress": true,
				"LambdaFunctionAssociations": {
					"Quantity": 0
				},
				"FunctionAssociations": {
					"Quantity": 0
				},
				"FieldLevelEncryptionId": "",
				"ForwardedValues": {
					"QueryString": false,
					"Cookies": {
						"Forward": "none"
					},
					"Headers": {
						"Quantity": 0
					},
					"QueryStringCacheKeys": {
						"Quantity": 0
					}
				},
				"MinTTL": 0,
				"DefaultTTL": 86400,
				"MaxTTL": 31536000
			}
		]
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": false,
		"IncludeCookies": false,
		"Bucket": "",
		"Prefix": ""
	},
	"PriceClass": "PriceClass_100",
	"Enabled": true,
	"ViewerCertificate": {
		"CloudFrontDefaultCertificate": false,
		"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"SSLSupportMethod": "sni-only",
		"MinimumProtocolVersion": "TLSv1.2_2021",
		"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"CertificateSource": "acm"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"AliasICPRecordals": [
		{
			"CNAME": "trendmicro.com",
			"ICPRecordalStatus": "APPROVED"
		}
	],
	"WebACLId": "",
	"HttpVersion": "http1.1",
	"IsIPV6Enabled": false
}

06 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. custom-tls-certificate.json) as the new distribution configuration document, to configure the custom SSL/TLS certificate for the selected Amazon CloudFront distribution. --if-match parameter represents the current version of the configuration, returned at step no. 4:

aws cloudfront update-distribution
  --id ABCDABCDABCDAB
  --if-match AAAABBBBCCCCD
  --distribution-config file://custom-tls-certificate.json
  --query 'Distribution.Status'

07 The command output should return the status of the modified CloudFront distribution:

"InProgress"

08 Repeat steps no. 1 – 7 for each Amazon CloudFront distribution deployed within your AWS cloud account.

References

AWS Command Line Interface (CLI) Documentation
list-distributions
get-distribution
get-distribution-config
update-distribution

Publication date Aug 31, 2023

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Use Custom SSL/TLS Certificates

Risk Level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules