Vulnerable Default SSL Certificate

• Query id: fb8f8929-afeb-4c46-99f0-a6cf410f7df4
• Query name: Vulnerable Default SSL Certificate
• Platform: Ansible
• Severity: High
• Category: Insecure Defaults
• URL: Github

Description

CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

- name: create a basic distribution with defaults, tags and default SSL certificate
  community.aws.cloudfront_distribution:
    state: present
    default_origin_domain_name: www.my-cloudfront-origin.com
    viewer_certificate:
      cloudfront_default_certificate: true
    tags:
      Name: example distribution
      Project: example project
      Priority: '1'
- name: create a basic distribution with defaults, tags and misconfigured custom SSL certificate
  community.aws.cloudfront_distribution:
    state: present
    default_origin_domain_name: www.my-cloudfront-origin.com
    viewer_certificate:
      acm_certificate_arn: arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012
    tags:
      Name: example distribution
      Project: example project
      Priority: '1'

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: create a basic distribution with defaults, tags and custom SSL certificate
  community.aws.cloudfront_distribution:
    state: present
    default_origin_domain_name: www.my-cloudfront-origin.com
    viewer_certificate:
      acm_certificate_arn: arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012
      ssl_support_method: sni-only
      minimum_protocol_version: TLS1.2_2018
    tags:
      Name: example distribution
      Project: example project
      Priority: '1'