CloudFront distributions should use custom SSL/TLS certificates.
cloudfront_distributions_custom_ssl_certificate
Ensure that your Amazon CloudFront distributions are configured to use a custom SSL/TLS certificate instead of the default one.
Risk
Using the default SSL/TLS certificate provided by CloudFront can limit your ability to use custom domain names and may not align with your organization's security policies or branding requirements.
Run this check with Prowler CLI
prowler aws --checks cloudfront_distributions_custom_ssl_certificate
ARN template
arn:partition:service:region:account-id:resource-id
Remediation
https://docs.prowler.com/checks/aws/networking-policies/ensure-aws-cloudfront-distribution-uses-custom-ssl-certificate/
https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/CloudFront/cloudfront-distro-custom-tls.html
https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-7
Configure your CloudFront distributions to use a custom SSL/TLS certificate to enable secure access via your own domain names and meet specific security and branding needs. This allows for more control over encryption and authentication settings.
Source Code
Resource Type
AwsCloudFrontDistribution