AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS ACM Certificates With Wildcard Domain Names
More Info:
Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key. An AWS ACM wildcard certificate matches any first level subdomain or hostname in a domain. For example, a wildcard certificate issued for *.cloudconformity.com can protect both www.cloudconformity.com and images.cloudconformity.com.
Risk Level
Low
Address
Security
Compliance Standards
NIST
Triage and Remediation
Check Cause
-
Log in to the AWS Management Console and navigate to the API Gateway dashboard.
-
In the APIs list, select the API you want to check.
-
In the API’s settings, navigate to the “Custom Domain Names” section. Here, you will see a list of all custom domain names associated with your API.
-
Check the ACM Certificate column for each custom domain name. If a certificate has a wildcard (*) in its domain name, it means that the certificate is configured with a wildcard domain name.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the resources.
-
Once the AWS CLI is set up, you can use the following command to list all the ACM Certificates:
aws acm list-certificates --region your-regionReplace ‘your-region’ with the region where your ACM Certificates are located. This command will return a list of all the ACM Certificates in the specified region.
-
To check if any of these certificates have wildcard domain names, you can use the following command:
aws acm describe-certificate --certificate-arn your-certificate-arn --region your-regionReplace ‘your-certificate-arn’ with the ARN of the certificate you want to check and ‘your-region’ with the region where the certificate is located. This command will return the details of the specified certificate.
-
In the output of the above command, look for the ‘DomainName’ field. If the value of this field starts with '', then the certificate has a wildcard domain name. For example, a value of ‘.example.com’ indicates a wildcard domain name.
-
Setup AWS SDK (Boto3) in Python Environment: First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip:
pip install boto3After installing boto3, configure your AWS credentials. You can configure your credentials either by setting up environment variables or by using AWS CLI.
-
List ACM Certificates: Use the
list_certificatesmethod provided by the ACM client in boto3 to list all the certificates. Here is a sample script:import boto3 def list_acm_certificates(): acm_client = boto3.client('acm') response = acm_client.list_certificates() return response['CertificateSummaryList'] certificates = list_acm_certificates() print(certificates)This script will print all the ACM certificates.
-
Check for Wildcard Domain Names: Now, iterate over the certificates and check if any certificate has a wildcard domain name. A wildcard domain name starts with ”*.“. Here is the updated script:
import boto3 def list_acm_certificates(): acm_client = boto3.client('acm') response = acm_client.list_certificates() return response['CertificateSummaryList'] def check_wildcard_domain(certificates): wildcard_certs = [] for cert in certificates: if cert['DomainName'].startswith('*.'): wildcard_certs.append(cert) return wildcard_certs certificates = list_acm_certificates() wildcard_certs = check_wildcard_domain(certificates) print(wildcard_certs)This script will print all the ACM certificates with wildcard domain names.
-
Check API Gateway for ACM Certificates: Finally, check if any of the ACM certificates with wildcard domain names are used in API Gateway. Use the
get_rest_apismethod provided by the API Gateway client in boto3. Here is the final script:import boto3 def list_acm_certificates(): acm_client = boto3.client('acm') response = acm_client.list_certificates() return response['CertificateSummaryList'] def check_wildcard_domain(certificates): wildcard_certs = [] for cert in certificates: if cert['DomainName'].startswith('*.'): wildcard_certs.append(cert) return wildcard_certs def check_api_gateway(wildcard_certs): api_gateway_client = boto3.client('apigateway') response = api_gateway_client.get_rest_apis() for api in response['items']: if 'certificateId' in api and api['certificateId'] in [cert['CertificateArn'] for cert in wildcard_certs]: print(f"API Gateway {api['name']} is using ACM certificate with wildcard domain name") certificates = list_acm_certificates() wildcard_certs = check_wildcard_domain(certificates) check_api_gateway(wildcard_certs)This script will print the names of all API Gateways that are using ACM certificates with wildcard domain names.