Skip to main content

πŸ›‘οΈ AWS CloudFront Web Distribution uses default SSL/TLS certificate🟒

  • Contextual name: πŸ›‘οΈ Web Distribution uses default SSL/TLS certificate🟒
  • ID: /ce/ca/aws/cloudfront/distribution-uses-default-certificate
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4efd073e1

Description​

Open File

Description​

This policy checks that an AWS CloudFront Web Distribution is configured to use a custom SSL/TLS certificate.

A custom SSL/TLS certificate allows you to serve your content over HTTPS using your own domain name in the URL, rather than the default *.cloudfront.net domain name assigned to your distribution.

Rationale​

Deploying a custom SSL/TLS certificate and alternate CNAME ensures that end users see your organization’s domain in the browser’s address bar. This provides clear assurance that the connection to your application is encrypted and authenticated.

Impact​

It may incur additional fees for certificate procurement and renewal if not using a free ACM certificate.

You must create the appropriate CNAME records in your DNS zone to map your custom domain to the CloudFront distribution’s domain. Misconfigured DNS entries can lead to service interruptions or SSL validation failures.

Audit​

This policy flags an AWS CloudFront Web Distribution as INCOMPLIANT if the Viewer Certificate CloudFront Default checkbox is true.

Remediation​

Open File

Remediation​

From Console​

Prerequisites​

Before updating your CloudFront distribution to include an alternate domain name, complete the following:

  • Register the desired domain name with Amazon RouteΒ 53 or a third‑party registrar.
  • Get a valid TLS certificate from an approved Certificate Authority (CA) that covers your domain. Add the certificate to your distribution to validate that you are authorized to use the domain.
Add an Alternate Domain Name​
  1. Select your domain in the AWS Console and click Add Domain on the General tab.
  2. Enter up to five alternate domain names (CNAMEs).
  3. Under TLS Certificate, choose an existing ACM certificate or automatically or manually create a new certificate in ACM.
  4. Validate certificate ownership:
    • Update your DNS provider’s records with the CNAME entries displayed in the CloudFront console to demonstrate domain ownership.
    • click Validate Certificate in the console.
  5. Upon successful validation, click Next, review your configuration, and then choose Add Domains.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates11no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC09-BP03 Authenticate network communications3no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption57no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration45no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23789no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)19no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)35no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1820no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)819no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1634no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)716no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)9no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)120no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)19no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)34no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)173no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)18no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)9no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)35no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)120no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)19no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)34no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)16no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events149no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained76no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected164no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected140no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected156no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage103no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326999no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1218no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication9no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services35no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity5819no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection818no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling10no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys7no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection423no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23 Session Authenticity510no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers9no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection20no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.1 Change default administrative passwords11no data