AWS ACM Certificate with wildcard domain name
Description
This policy detects whether an AWS ACM (AWS Certificate Manager) certificate's domain name contains wildcard entries. Wildcards in domain names (for example, *.example.com) can be problematic because they allow the certificate to secure every subdomain under a given domain. While convenient, this poses a significant security risk; if any subdomain gets compromised, the same certificate could potentially be exploited to conduct attacks across all other subdomains. Avoiding wildcard certificates adds a layer of security by ensuring that each subdomain has its own distinct certificate, thereby isolating risks.
Code Example
resource "aws_acm_certificate" "example" {
...
subject_alternative_names = [
- "*.example.com",
"blog.example.com",
"api.example.com"
]
}Remediation
Specify individual subdomains in the Subject Alternative Names attribute instead of using a wildcard domain (for example, `*.example.com`). List subdomains such as `blog.example.com` and `api.example.com`.
Terraform
- Resource: aws_acm_certificate
- Arguments: subject_alternative_names
This example shows how to configure an AWS ACM certificate by specifying individual subdomains in the `subject_alternative_names` attribute rather than using a wildcard domain.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0504 |
| Severity | LOW |
| IaC Type | Cloudformation |
| Frameworks | Terraform, |
| Checkov ID | CKV2_AWS_71 |