Skip to main content

πŸ“ AWS CloudFront Web Distribution uses default SSL/TLS certificate 🟒

  • Contextual name: πŸ“ Web Distribution uses default SSL/TLS certificate 🟒
  • ID: /ce/ca/aws/cloudfront/distribution-uses-default-certificate
  • Located in: πŸ“ AWS CloudFront

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4efd073e1

Logic​

Description​

Open File

Description​

This policy checks that an AWS CloudFront Web Distribution is configured to use a custom SSL/TLS certificate.

A custom SSL/TLS certificate allows you to serve your content over HTTPS using your own domain name in the URL, rather than the default *.cloudfront.net domain name assigned to your distribution.

Rationale​

Deploying a custom SSL/TLS certificate and alternate CNAME ensures that end users see your organization’s domain in the browser’s address bar. This provides clear assurance that the connection to your application is encrypted and authenticated.

Impact​

It may incur additional fees for certificate procurement and renewal if not using a free ACM certificate.

You must create the appropriate CNAME records in your DNS zone to map your custom domain to the CloudFront distribution’s domain. Misconfigured DNS entries can lead to service interruptions or SSL validation failures.

Audit​

This policy flags an AWS CloudFront Web Distribution as INCOMPLIANT if the Viewer Certificate CloudFront Default checkbox is true.

Remediation​

Open File

Remediation​

From Console​

Prerequisites​

Before updating your CloudFront distribution to include an alternate domain name, complete the following:

  • Register the desired domain name with Amazon RouteΒ 53 or a third‑party registrar.
  • Get a valid TLS certificate from an approved Certificate Authority (CA) that covers your domain. Add the certificate to your distribution to validate that you are authorized to use the domain.
Add an Alternate Domain Name​
  1. Select your domain in the AWS Console and click Add Domain on the General tab.
  2. Enter up to five alternate domain names (CNAMEs).
  3. Under TLS Certificate, choose an existing ACM certificate or automatically or manually create a new certificate in ACM.
  4. Validate certificate ownership:
    • Update your DNS provider’s records with the CNAME entries displayed in the CloudFront console to demonstrate domain ownership.
    • click Validate Certificate in the console.
  5. Upon successful validation, click Next, review your configuration, and then choose Add Domains.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption36
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration29
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23471
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)18
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1816
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)815
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1621
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)712
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)116
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)15
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)21
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)157
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)22
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)116
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)15
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)21
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)12
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events129
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained43
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected107
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected102
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage63
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326480
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1217
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication8
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services22
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity5815
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection814
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection410
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23 Session Authenticity56
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection10
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.1 Change default administrative passwords11