AWS ACM SSL/TLS Certificate Requests Are Validated

Description:

Amazon Web Services (AWS) Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. When requesting SSL/TLS certificates via ACM, it's critical that all requests are thoroughly validated to prevent unauthorized or misconfigured certificates from being provisioned. Proper validation ensures the certificate's integrity and trustworthiness, guarding against potential security threats.


Remediation:

1. Follow ACM's Validation Process:

AWS Management Console:
  • When requesting a certificate in the ACM Console, ACM will provide one or more domain validation methods.
  • For Email validation: ACM sends validation emails to the three contact addresses listed in the domain's WHOIS database record and to five common system addresses for that domain. The recipient must follow the instructions in the email to approve the request.
  • For DNS validation: ACM provides a CNAME record to add to your DNS configuration. Once the DNS record is detected by ACM, the domain validation will be complete.
Automated Renewal:
  • ACM automatically renews managed certificates that are in use (associated with other AWS services) before they expire. Ensure that your domains' DNS settings or email contacts remain valid to facilitate this automated renewal process.
Regular Audits:
  • Regularly review ACM to ensure that only the necessary certificates are provisioned.
  • Check the "In Use" column in the ACM Console to identify any certificates that aren't actively associated with AWS services. Consider the necessity of retaining such certificates.
Restrict ACM Access:
  • Use IAM policies to restrict who can request and manage ACM certificates.
  • Implement least privilege principles, ensuring that only necessary personnel can request or renew certificates.

Recommendation:

Always follow AWS ACM's recommended validation procedures when requesting or renewing SSL/TLS certificates. Regularly review ACM's dashboard for unused or unnecessary certificates and remove them to reduce potential exposure. Implement strict IAM policies to ensure only trusted entities within your organization can manage ACM certificates. Continuous monitoring and regular audits of your ACM certificate landscape will help maintain the security and integrity of your SSL/TLS implementations in AWS.