Logo of Trend Micro

AWS ACM Certificates with Wildcard Domain Names

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: ACM-006

Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key. An AWS ACM wildcard certificate matches any first level subdomain or hostname in a domain. For example, a wildcard certificate issued for *.cloudconformity.com can protect both www.cloudconformity.com and images.cloudconformity.com.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security
Operational
excellence

When wildcard certificates are in use, if the private key of a certificate is hacked, then all sites (domain and subdomains) that use the compromised certificate are potentially impacted. The risk of hacking is even higher when the wildcard certificates are imported to AWS ACM as the customer holds an unencrypted copy of the certificate's private key on his device(s). Cloud Conformity recommends using single domain name certificates instead of wildcard certificates to reduce the risks associated with a compromised domain/subdomain.

Audit

To determine if there are any issued Amazon Certificate Manager wildcard certificates available in you AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS ACM dashboard at https://console.aws.amazon.com/acm/.

03 Select the issued SSL/TLS certificate that you want to examine and click on the Show/Hide Details button to expand the panel with the certificate details. An issued AWS ACM certificate is a SSL/TLS certificate issued by ACM or imported to ACM, that have its Status set to issued.

04 Inside the Details section, verify the domain name protected by the selected ACM certificate, displayed as value for the Domain name attribute. If the Domain name attribute value starts with an asterisk (*), the SSL/TLS certificate was issued for the verified domain name and all its first-level subdomains, therefore the selected AWS ACM certificate is a wildcard certificate.

05 Repeat step no. 3 and 4 to check the type of other SSL/TLS certificates, issued and managed by Amazon Certificate Manager (ACM) within the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-certificates command (OSX/Linux/UNIX) using built-in and custom query filters to list the ARNs for all AWS ACM certificates issued in the selected region. An issued certificate is a SSL/TLS certificate issued by ACM or imported to ACM, that have its status (represented by --certificate-statuses parameter) set to ISSUED: 

aws acm list-certificates
	--region us-east-1
	--certificate-statuses ISSUED
	--query 'CertificateSummaryList[*].CertificateArn'

02 The command output should return the requested Amazon Resource Names (ARNs): 

[

"arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc",
"arn:aws:acm:us-east-1:123456789012:certificate/bbbbcccc-dddd-eeee-ffff-bbbbccccdddd"

]

03 Run describe-certificate command (OSX/Linux/UNIX) using the ARN of the certificate that you want to examine as identifier and custom query filters to expose the domain name for the selected AWS ACM certificate: 

aws acm describe-certificate
	--region us-east-1
	--certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-cccc-dddd-eeee-aaaabbbbcccc                                                             --query 'Certificate.DomainName'

04 The command output should return domain name protected by the specified SSL/TLS certificate: 

{

    "*.cloudconformity.com"

}

If the domain name returned starts with an asterisk (*), as shown in the example above, the SSL/TLS certificate protects the domain name and all its first-level subdomains, therefore the selected AWS ACM certificate is a wildcard certificate.

05 Repeat step no. 3 and 4 to check the type of other SSL/TLS certificates, issued and managed by AWS ACM within the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To issue a single domain name certificate for each first-level subdomain developed using Amazon Certificate Manager (ACM) service, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS ACM dashboard at https://console.aws.amazon.com/acm/.

03 Choose the wildcard certificate that you want to replace with single domain name certificates (see Audit section part I to identify the right ACM resource) and identify the subdomains protected by the selected SSL/TLS certificate.

04 Click Request a certificate button from the dashboard top menu to initiate the request process for the main domain name.

05 On Step 1: Add domain names page, in the Domain name box, type the fully qualified domain name of the website secured with the ACM certificate selected at step no. 3 (e.g. www.cloudconformity.com). Click Next to continue the process.

06 On Step 2: Select validation method page, choose how AWS ACM service validates your certificate request. Select DNS validation if you have or can obtain permission to modify the DNS configuration for the domain in your certificate request or Email validation if you do not have permission or cannot obtain permission to modify the DNS configuration for the domain name in your request. Click Review to continue.

07 On Step 3: Review page, review the certificate request details (domain name and validation method) then click Confirm and request to send the request to the Amazon Certificate Manager service. The requested certificate status is now set to Pending validation.

08 On Step 4: Validation page, validate the certificate request based on the validation method selected at step no. 6, following the instructions provided by AWS ACM, then click Continue. After validating your domain name, the ACM service changes the validation status to Success. Once AWS issues the certificate, ACM changes the certificate status to Issued.

09 The certificate status should change from Pending validation to Issued.

10 Now access your application(s) web server configuration and replace the wildcard SSL/TLS certificate with the newly issued single domain name certificate.

11 Now repeat steps no. 4 – 10 to issue single domain name certificates for all the first-level subdomains resulted from the domain name of the website secured with the certificate selected at step no. 3.

12 Repeat steps no. 3 – 11 to issue ACM certificates for other domains associated with wildcard certificates and managed by AWS ACM in the selected region.

13 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 First, you need to choose the wildcard certificate that you want to replace with single domain name certificates (see Audit section part II to identify the right resource) and identify the subdomains protected by the selected SSL/TLS certificate.

02 Once you have identified the domain name and its first-level subdomains, run request-certificate command (OSX/Linux/UNIX) to request an SSL/TLS certificate for each domain/subdomain. The following command example requests an AWS ACM certificate for a domain named "www.cloudconformity.com" using DNS as request validation method (to request ACM certificates for first-level subdomains just replace the --domain-name parameter value): 

aws acm request-certificate
	--region us-east-1
	--domain-name www.cloudconformity.com
	--validation-method DNS
	--idempotency-token abcd1234

03 The command output should return the ARN of the requested SSL/TLS certificate: 

{
    "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-aaaa-bbbb-cccc-123456789012"
}

04 Now validate the certificate request based on the chosen validation method. Once the new ACM certificate is validated, AWS issues the single domain name certificate and sets the resource status to ISSUED.

05 Access your application(s) web server configuration and replace the wildcard SSL/TLS certificate with the newly issued single domain name certificate.

06 Repeat steps no. 2 – 5 to issue single domain name certificates for all the first-level subdomains resulted from the domain name of the website secured with the certificate selected at step no. 1.

07 Repeat steps no. 1 – 6 to issue ACM certificates for other domains associated with wildcard certificates and managed by AWS ACM in the selected region.

08 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Feb 15, 2018

Related ACM rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

AWS ACM Certificates with Wildcard Domain Names

Risk level: Low