Vulnerable Default SSL Certificate
- Query id: b4d9c12b-bfba-4aeb-9cb8-2358546d8041
- Query name: Vulnerable Default SSL Certificate
- Platform: CloudFormation
- Severity: High
- Category: Insecure Defaults
- URL: Github
Description¶
CloudFront web distributions should use custom (and not default) SSL certificates. Custom SSL certificates allow only defined users to access content by using an alternate domain name instead of the default one.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
ViewerCertificate:
AcmCertificateArn: arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Positive test num. 2 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
ViewerCertificate:
CloudfrontDefaultCertificate: true
Positive test num. 3 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"ViewerCertificate": {
"AcmCertificateArn": "arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
}
}
}
}
}
Positive test num. 4 - json file
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
ViewerCertificate:
AcmCertificateArn: arn:aws:autoscaling:us-west-2:123456789012:autoScalingGroup:a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
MinimumProtocolVersion: TLS1.2_2019
SslSupportMethod: sni_only
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"ViewerCertificate": {
"AcmCertificateArn": "some arn",
"MinimumProtocolVersion": "TLS1.2_2019",
"SslSupportMethod": "sni_only"
}
}
}
}
}
}