id: acm-cert-validation
info:
  name: ACM Certificate Validation Check
  author: princechaddha
  severity: medium
  description: |
    Ensure ACM SSL/TLS certificates are properly validated during issue or renewal, indicating secure communication channels.
  impact: |
    Lack of validation may allow unauthorized certificates, leading to potential man-in-the-middle attacks or data breaches.
  remediation: |
    Use AWS ACM for certificate provisioning and ensure domain validation steps are correctly followed for each certificate issued or renewed.
  reference:
    - https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html
  metadata:
    max-request: 2
  tags: cloud,devops,aws,amazon,acm,aws-cloud-config
variables:
  region: "us-east-1"

flow: |
  code(1)
  for(let arns of iterate(template.certificatearns)){
    set("certificatearn", arns)
    code(2)
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws acm list-certificates --region $region --output json

    extractors:
      - type: json
        name: certificatearns
        internal: true
        json:
          - '.CertificateSummaryList[] | .CertificateArn'

  - engine:
      - sh
      - bash
    source: |
         aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.Status'

    matchers:
      - type: word
        words:
          - "PENDING_VALIDATION"

    extractors:
      - type: dsl
        dsl:
          - '"The issue/renewal request for " + certificatearn + " SSL/TLS certificate was not validated"'
# digest: 4a0a0047304502210092b18eb3a24d6dea12fc385763c84745bf8201424ef620661e9c9fbb1b3b513a02201dc10c6f007cea631d51e81c2b6c883bf6c530a4de13398dea1c605b4a925714:922c64590222798bb761d5b6d8e72950