Detections
Analytics

Ensure AWS ACM only has certificates with single domain names, and none with wildcard domain names

LOW

Description

AWS ACM Certificates with wildcard domains are harder to manage.

Remediation

Wildcard domain names (domain names containing wildcards like *) are prohibited.

In AWS Console -

  1. Log into the AWS Console and go to the ACM Console.
  2. Here you have the ability to request new certificates, but you cannot edit the domain name field on existing ones. To create a new one, select Request Certificate.

In Terraform -

  1. In the aws_acm_certificate resource, set the attribute 'domain_name' to a valid domain name rather than an asterisk(*).

References:
https://docs.aws.amazon.com/acm/latest/userguide/gs.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate#domain_name

Policy Details

Rule Reference ID: AC_AWS_0001
CSP: AWS
Remediation Available: No
Domain: Compliance Validation
Resource: aws_acm_certificate
Resource Category: Management
Resource Type: Certificate Manager (ACM)

Frameworks