Skip to content

AWS CloudFront web distribution with default SSL certificate

Description

This policy identifies CloudFront web distributions which have a default SSL certificate to access CloudFront content. It is a best practice to use custom SSL Certificate to access CloudFront content. It gives you full control over the content data. custom SSL certificates also allow your users to access your content by using an alternate domain name. You can use a certificate stored in AWS Certificate Manager (ACM) or you can use a certificate stored in IAM.

Fix - Buildtime

Terraform

resource "aws_cloudfront_distribution" "pass_1" {

  origin {
    domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
    origin_id   = "primaryS3"

    s3_origin_config {
      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
    }
  }

  default_cache_behavior {
   target_origin_id = "groupS3"
  }

  viewer_certificate {
    acm_certificate_arn = "aaaaa"
  }
}