CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00726
- creditSnyk Research Team
Description
The use of wildcard certificates in AWS ACM can introduce security risks as they can be easily abused by attackers to impersonate legit is recommended to avoid the use of wildcard certificates and instead use individual certificates for each subdomain or service. This ensures better control and reduces the potential impact of a compromised certificate. Regularly review the certificates in AWS ACM and replace any wildcard certificates with specific ones.
How to fix?
Set the domain_name attribute in aws_acm_certificate without using wildcards.
Example configuration:
resource "aws_acm_certificate" "allowed_1" {
domain_name = "my_domain"
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate" "allowed_2" {
domain_name = "hello.my_domain"
validation_method = "DNS"
lifecycle {
create_before_destroy = true
}
}
resource "aws_acm_certificate" "allowed_3" {
domain_name = "email.my_domain"
validation_method = "EMAIL"
lifecycle {
create_before_destroy = true
}
}