Ensure AWS ACM certificates has logging preference
Error: AWS ACM certificate does not have logging preference
Bridgecrew Policy ID: BC_AWS_GENERAL_173
Checkov Check ID: CKV_AWS_234
Severity: LOW
AWS ACM certificate does not have logging preference
Description
To guard against SSL/TLS certificates that are issued by mistake or by a compromised CA, some browsers like Chrome require that public certificates issued for a domain be recorded in a certificate transparency log. The domain name is recorded, but not the private key. Certificates that are not logged typically generate an error in the browser.
Fix - Runtime
Console
It is not possible to adjust transparency logging via console.
CLI
aws acm request-certificate \
--domain-name example.com \
--validation-method DNS \
--options CertificateTransparencyLoggingPreference=ENABLED \
Fix - Buildtime
CloudFormation
Resources:
Example:
Type: "AWS::CertificateManager::Certificate"
Properties:
DomainName: example.com
ValidationMethod: DNS
+ CertificateTransparencyLoggingPreference: ENABLED
Terraform
resource "aws_acm_certificate" "example" {
domain_name = "example.com"
validation_method = "DNS"
+ options {
+ certificate_transparency_logging_preference = "ENABLED"
+ }
}
Updated 10 months ago