Vulnerable Default SSL Certificate
- Query id: fb8f8929-afeb-4c46-99f0-a6cf410f7df4
- Query name: Vulnerable Default SSL Certificate
- Platform: Ansible
- Severity: High
- Category: Insecure Defaults
- URL: Github
Description¶
CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
- name: create a basic distribution with defaults, tags and default SSL certificate
community.aws.cloudfront_distribution:
state: present
default_origin_domain_name: www.my-cloudfront-origin.com
viewer_certificate:
cloudfront_default_certificate: true
tags:
Name: example distribution
Project: example project
Priority: '1'
- name: create a basic distribution with defaults, tags and misconfigured custom SSL certificate
community.aws.cloudfront_distribution:
state: present
default_origin_domain_name: www.my-cloudfront-origin.com
viewer_certificate:
acm_certificate_arn: arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012
tags:
Name: example distribution
Project: example project
Priority: '1'
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
- name: create a basic distribution with defaults, tags and custom SSL certificate
community.aws.cloudfront_distribution:
state: present
default_origin_domain_name: www.my-cloudfront-origin.com
viewer_certificate:
acm_certificate_arn: arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012
ssl_support_method: sni-only
minimum_protocol_version: TLS1.2_2018
tags:
Name: example distribution
Project: example project
Priority: '1'