AWS ACM uses Single Domain Name Certificates

Description:

SSL/TLS certificates play a vital role in establishing secure communications. While wildcard certificates (e.g., *.example.com) offer the convenience of securing multiple subdomains with a single certificate, they can also pose security risks. If a wildcard certificate is compromised, all subdomains are at risk. Using single domain name certificates for specific subdomains (e.g., api.example.com) can limit the potential exposure if a certificate is compromised. It's recommended to use Amazon Certificate Manager (ACM) to manage and deploy single domain name certificates instead of wildcard certificates within your AWS account, where feasible.


Remediation:

1. Identify Wildcard Certificates:

AWS Management Console:
  • Navigate to the ACM Console.
  • Review the list of certificates and identify any that begin with a wildcard (e.g., *.example.com).

2. Replace Wildcard Certificates:

For each identified wildcard certificate:

  • Determine the specific subdomains that need SSL/TLS coverage.
  • Request single domain name certificates for each specific subdomain through ACM.
AWS Management Console:
  • In the ACM Console, click on Request a certificate.
  • Select Request a public certificate, and then enter the specific domain name.
  • Follow the validation process (either DNS validation or email validation).

3. Update AWS Resources:

For each AWS service or resource using the wildcard certificate:

  • Update the configuration to use the newly provisioned single domain name certificate.

For example, if using an Application Load Balancer:

  • Navigate to the EC2 Console.
  • In the navigation pane, under Load Balancers, select your load balancer.
  • Choose the Listeners tab and select the listener.
  • Update the SSL certificate to the new ACM single domain name certificate.

4. Revoke and Delete Wildcard Certificates:

Once all services have been updated:

  • Return to the ACM Console.
  • For each wildcard certificate no longer in use, choose Actions, then Delete.

Recommendation:

Adopt a security best practice of using specific single domain name certificates over wildcard certificates, especially for high-risk or critical subdomains. While wildcard certificates can provide operational simplicity in some scenarios, their potential security risks can outweigh the benefits. By leveraging ACM to manage and deploy specific single domain name certificates, you enhance the granularity and security of your SSL/TLS configurations within your AWS account.