Ensure AWS ACM certificates has logging preference

Error: AWS ACM certificate does not have logging preference

Bridgecrew Policy ID: BC_AWS_GENERAL_173
Checkov Check ID: CKV_AWS_234
Severity: LOW

AWS ACM certificate does not have logging preference

Description

To guard against SSL/TLS certificates that are issued by mistake or by a compromised CA, some browsers like Chrome require that public certificates issued for a domain be recorded in a certificate transparency log. The domain name is recorded, but not the private key. Certificates that are not logged typically generate an error in the browser.

Fix - Runtime

Console

It is not possible to adjust transparency logging via console.

CLI

aws acm request-certificate \
--domain-name example.com \
--validation-method DNS \
--options CertificateTransparencyLoggingPreference=ENABLED \

Fix - Buildtime

CloudFormation

Resources: 
  Example: 
    Type: "AWS::CertificateManager::Certificate"
    Properties: 
      DomainName: example.com
      ValidationMethod: DNS
+     CertificateTransparencyLoggingPreference: ENABLED

Terraform

resource "aws_acm_certificate" "example" {
  domain_name       = "example.com"
  validation_method = "DNS"

+ options {
+   certificate_transparency_logging_preference = "ENABLED"
+ }
}