Ensure AWS CloudFront distribution uses custom SSL certificate

Error: AWS CloudFront web distribution with default SSL certificate

Bridgecrew Policy ID: BC_AWS_NETWORKING_79
Checkov Check ID: CKV2_AWS_42
Severity: MEDIUM

AWS CloudFront web distribution with default SSL certificate

Description

This policy identifies CloudFront web distributions which have a default SSL certificate to access CloudFront content. It is a best practice to use custom SSL Certificate to access CloudFront content. It gives you full control over the content data. custom SSL certificates also allow your users to access your content by using an alternate domain name. You can use a certificate stored in AWS Certificate Manager (ACM) or you can use a certificate stored in IAM.

Fix - Buildtime

Terraform

resource "aws_cloudfront_distribution" "pass_1" {

  origin {
    domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
    origin_id   = "primaryS3"

    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
    }
  }

  default_cache_behavior {
   target_origin_id = "groupS3"
  }

  viewer_certificate {
    acm_certificate_arn = "aaaaa"
  }
}

Updated 5 months ago