Skip to main content

πŸ›‘οΈ AWS CloudFront Web Distribution uses default SSL/TLS certificate🟒

  • Contextual name: πŸ›‘οΈ Web Distribution uses default SSL/TLS certificate🟒
  • ID: /ce/ca/aws/cloudfront/distribution-uses-default-certificate
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4efd073e1

Description​

Open File

Description​

This policy checks that an AWS CloudFront Web Distribution is configured to use a custom SSL/TLS certificate.

A custom SSL/TLS certificate allows you to serve your content over HTTPS using your own domain name in the URL, rather than the default *.cloudfront.net domain name assigned to your distribution.

Rationale​

Deploying a custom SSL/TLS certificate and alternate CNAME ensures that end users see your organization’s domain in the browser’s address bar. This provides clear assurance that the connection to your application is encrypted and authenticated.

Impact​

It may incur additional fees for certificate procurement and renewal if not using a free ACM certificate.

You must create the appropriate CNAME records in your DNS zone to map your custom domain to the CloudFront distribution’s domain. Misconfigured DNS entries can lead to service interruptions or SSL validation failures.

Audit​

This policy flags an AWS CloudFront Web Distribution as INCOMPLIANT if the Viewer Certificate CloudFront Default checkbox is true.

Remediation​

Open File

Remediation​

From Console​

Prerequisites​

Before updating your CloudFront distribution to include an alternate domain name, complete the following:

  • Register the desired domain name with Amazon RouteΒ 53 or a third‑party registrar.
  • Get a valid TLS certificate from an approved Certificate Authority (CA) that covers your domain. Add the certificate to your distribution to validate that you are authorized to use the domain.
Add an Alternate Domain Name​
  1. Select your domain in the AWS Console and click Add Domain on the General tab.
  2. Enter up to five alternate domain names (CNAMEs).
  3. Under TLS Certificate, choose an existing ACM certificate or automatically or manually create a new certificate in ACM.
  4. Validate certificate ownership:
    • Update your DNS provider’s records with the CNAME entries displayed in the CloudFront console to demonstrate domain ownership.
    • click Validate Certificate in the console.
  5. Upon successful validation, click Next, review your configuration, and then choose Add Domains.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates11no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC09-BP03 Authenticate network communications3no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption66no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration54no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23795no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)20no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)112no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)41no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1823no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)822no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1640no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)719no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)12no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)123no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)22no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)40no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)179no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)20no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)12no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)41no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)123no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)22no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)40no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)19no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events162no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained81no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected173no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected149no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected169no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage112no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement3269110no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1220no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services41no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity5823no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection821no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling14no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys9no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection429no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23 Session Authenticity513no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers12no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection25no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.1 Change default administrative passwords11no data