The CloudFront has a default SSL certificate

ID

aws_cloudfront_default_certificate

Severity

low

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

The CloudFront has a default SSL certificate. A custom SSL certificate gives a full control about a content data and allow to users to access the content using an alternate domain name.

To fix it you must configure viewer_certificate.cloudfront_default_certificate=false and specify the fields:

  • acm_certificate_arn or iam_certificate_id (specify a value for one, not both)

  • minimum_protocol_version

  • ssl_support_method

Learn more about this topic at AWS CloudFront certificates.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create distribution
      community.aws.cloudfront_distribution:
        state: present
        default_origin_domain_name: www.my-cloudfront-origin.com
        tags:
          Name: example distribution
          Project: example project
          Priority: '1'
        viewer_certificate:
          cloudfront_default_certificate: true

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create distribution
      community.aws.cloudfront_distribution:
        state: present
        default_origin_domain_name: www.my-cloudfront-origin.com
        tags:
          Name: example distribution
          Project: example project
          Priority: '1'
        viewer_certificate:
          cloudfront_default_certificate: false
          acm_certificate_arn: ARN_ID
          minimum_protocol_version: TLSv1.3
          ssl_support_method: sni_only