57 lines
1.7 KiB
YAML
57 lines
1.7 KiB
YAML
id: acm-cert-validation
|
|
info:
|
|
name: ACM Certificate Validation Check
|
|
author: princechaddha
|
|
severity: medium
|
|
description: |
|
|
Ensure ACM SSL/TLS certificates are properly validated during issue or renewal, indicating secure communication channels.
|
|
impact: |
|
|
Lack of validation may allow unauthorized certificates, leading to potential man-in-the-middle attacks or data breaches.
|
|
remediation: |
|
|
Use AWS ACM for certificate provisioning and ensure domain validation steps are correctly followed for each certificate issued or renewed.
|
|
reference:
|
|
- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html
|
|
metadata:
|
|
max-request: 2
|
|
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
|
|
variables:
|
|
region: "us-east-1"
|
|
|
|
flow: |
|
|
code(1)
|
|
for(let arns of iterate(template.certificatearns)){
|
|
set("certificatearn", arns)
|
|
code(2)
|
|
}
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
aws acm list-certificates --region $region --output json
|
|
|
|
extractors:
|
|
- type: json
|
|
name: certificatearns
|
|
internal: true
|
|
json:
|
|
- '.CertificateSummaryList[] | .CertificateArn'
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.Status'
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- "PENDING_VALIDATION"
|
|
|
|
extractors:
|
|
- type: dsl
|
|
dsl:
|
|
- '"The issue/renewal request for " + certificatearn + " SSL/TLS certificate was not validated"'
|
|
# digest: 4a0a0047304502210092b18eb3a24d6dea12fc385763c84745bf8201424ef620661e9c9fbb1b3b513a02201dc10c6f007cea631d51e81c2b6c883bf6c530a4de13398dea1c605b4a925714:922c64590222798bb761d5b6d8e72950 |