Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key. An AWS ACM wildcard certificate matches any first level subdomain or hostname in a domain. For example, a wildcard certificate issued for *.cloudconformity.com can protect both www.cloudconformity.com and images.cloudconformity.com.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When wildcard certificates are in use, if the private key of a certificate is hacked, then all sites (domain and subdomains) that use the compromised certificate are potentially impacted. The risk of hacking is even higher when the wildcard certificates are imported to AWS ACM as the customer holds an unencrypted copy of the certificate's private key on his device(s). Cloud Conformity recommends using single domain name certificates instead of wildcard certificates to reduce the risks associated with a compromised domain/subdomain.
To determine if there are any issued Amazon Certificate Manager wildcard certificates available in you AWS account, perform the following:
To issue a single domain name certificate for each first-level subdomain developed using Amazon Certificate Manager (ACM) service, perform the following actions: