Wildcard In ACM Certificate Domain Name
- Query id: cc8b294f-006f-4f8f-b5bb-0a9140c33131
- Query name: Wildcard In ACM Certificate Domain Name
- Platform: CloudFormation
- Severity: Low
- Category: Insecure Configurations
- CWE: 155
- URL: Github
Description¶
ACM Certificate should not use wildcards (*) in the domain name
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
DomainName:
Description: "Domain for which you are requesting a cert"
Type: String
Default: example.com #Put your own domain name here
HostedZoneId:
Description: "hosted zone id in which CNAME record for the validation needs to be added"
Type: String
Default: XYZABCDERYH #Put the hosted zone id in which CNAME record for the validation needs to be added
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: "*"
DomainValidationOptions:
- DomainName: !Ref DomainName
HostedZoneId: !Ref HostedZoneId
ValidationMethod: 'DNS'
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"HostedZoneId": {
"Type": "String",
"Default": "XYZABCDERYH",
"Description": "hosted zone id in which CNAME record for the validation needs to be added"
},
"DomainName": {
"Description": "Domain for which you are requesting a cert",
"Type": "String",
"Default": "example.com"
}
},
"Resources": {
"Certificate": {
"Type": "AWS::CertificateManager::Certificate",
"Properties": {
"DomainName": "*",
"DomainValidationOptions": [
{
"DomainName": "DomainName",
"HostedZoneId": "HostedZoneId"
}
],
"ValidationMethod": "DNS"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
DomainName:
Description: "Domain for which you are requesting a cert"
Type: String
Default: example.com #Put your own domain name here
HostedZoneId:
Description: "hosted zone id in which CNAME record for the validation needs to be added"
Type: String
Default: XYZABCDERYH #Put the hosted zone id in which CNAME record for the validation needs to be added
Resources:
Certificate:
Type: AWS::CertificateManager::Certificate
Properties:
DomainName: CMDomain
DomainValidationOptions:
- DomainName: !Ref DomainName
HostedZoneId: !Ref HostedZoneId
ValidationMethod: 'DNS'
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Parameters": {
"DomainName": {
"Type": "String",
"Default": "example.com",
"Description": "Domain for which you are requesting a cert"
},
"HostedZoneId": {
"Description": "hosted zone id in which CNAME record for the validation needs to be added",
"Type": "String",
"Default": "XYZABCDERYH"
}
},
"Resources": {
"Certificate": {
"Type": "AWS::CertificateManager::Certificate",
"Properties": {
"DomainName": "CMDomain",
"DomainValidationOptions": [
{
"HostedZoneId": "HostedZoneId",
"DomainName": "DomainName"
}
],
"ValidationMethod": "DNS"
}
}
}
}