id: acm-wildcard-cert
info:
  name: Wildcard ACM Certificate Usage
  author: princechaddha
  severity: low
  description: |
    Ensure ACM certificates for specific domain names are used over wildcard certificates to adhere to best security practices, providing unique private keys for each domain/subdomain.
  impact: |
    Using wildcard certificates can expose your AWS environment to increased risk by potentially allowing unauthorized subdomains to be protected under the same certificate, reducing the granularity of access control and increasing the blast radius in the event of a key compromise.
  remediation: |
    Replace wildcard ACM certificates with single domain name certificates for each domain/subdomain within your AWS account. This enhances security by ensuring each domain/subdomain has its own unique private key and certificate.
  reference:
    - https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
  tags: cloud,devops,aws,amazon,acm,aws-cloud-config

variables:
  region: "us-east-1"

flow: |
  code(1)
  for(let arns of iterate(template.certificatearns)){
    set("certificatearn", arns)
    code(2)
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json

    extractors:
      - type: json
        name: certificatearns
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
         aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.DomainName'

    matchers:
      - type: word
        words:
          - "*."

    extractors:
      - type: dsl
        dsl:
          - 'certificatearn + " AWS ACM certificate is a wildcard certificate"'
# digest: 4a0a00473045022100f6ea9830b40920522f8151d891ae384572efefa30076cbf061bb313303abe50d022030dcf2a11227f66c51c43294228e264bf6b0eee1ae359cc2b84272c834de6351:922c64590222798bb761d5b6d8e72950