π AWS ACM Certificate with Wildcard Domain Name π’
- Contextual name: π Certificate with Wildcard Domain Name π’
- ID:
/ce/ca/aws/acm/certificate-with-wildcard-domain-name - Located in: π AWS ACM
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Similar Policiesβ
- Internal
dec-x-d25f7dfa
Similar Internal Rulesβ
| Rule | Policies | Flags |
|---|---|---|
| βοΈ dec-x-d25f7dfa | 1 |
Logicβ
- π§ prod.logic.yaml π’
Descriptionβ
Descriptionβ
Ensure to use AWS ACM single domain name certificates rather than wildcard certificates. Single domain certificates provide a unique private key for each domain or subdomain, which improves security by limiting the impact of any potential compromise.
Rationaleβ
Wildcard certificates can match any first-level subdomain, including those that may not be actively managed or monitored. This broad coverage can create vulnerabilities; if the private key for a wildcard certificate is compromised, all subdomains using that certificate could be at risk, leading to a potential breach of sensitive data or services. Additionally, the complexity of managing wildcard certificates can result in operational challenges, especially in larger environments.
By employing single domain name certificates, organizations can minimize their attack surface and improve security posture. This strategy also allows for more granular control and management of certificates, making it easier to revoke or update individual certificates as needed without affecting all subdomains under a wildcard certificate.
... see more
Remediationβ
Remediationβ
From Command Lineβ
Perform the following command to remove the wildcard certificate:
aws acm delete-certificate --certificate-arn {{certificateARN}}Replace
{{certificateARN}}with the ARN of the wildcard certificate you want to remove.
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Cryptographic Configuration | 8 | |||
| πΌ NIST SP 800-53 Revision 5 β πΌ AC-4(2) Information Flow Enforcement _ Processing Domains | 25 | 27 |