Check provider logo

CloudFront distribution uses a custom SSL/TLS certificate

cloudfront_distributions_custom_ssl_certificate

Severitymedium
Servicecloudfront
by Prowler
encryption

CloudFront distributions are configured with a custom SSL/TLS certificate rather than the default *.cloudfront.net certificate for viewer connections.

Risk

Using the default certificate prevents HTTPS on your own hostnames, breaking hostname validation. Clients may face errors or avoid TLS, impacting authentication and availability. Control over TLS posture and domain-bound security headers is reduced, weakening confidentiality and user trust.

Run this check with Prowler CLI

prowler aws --checks cloudfront_distributions_custom_ssl_certificate

Run in Prowler Cloud

Recommendation

  • Use a custom SSL/TLS certificate covering your domains and configure aliases.
  • Enforce modern TLS policy, SNI, and HSTS; disable legacy protocols.
  • Apply least privilege to certificate lifecycle and rotate/monitor keys.

Remediation

CLI

aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add Aliases and ViewerCertificate fields, then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query "ETag" --output text)'

Native IaC
Terraform
Other
  1. Open the CloudFront console and select your distribution
  2. Go to the Settings/General tab and click Edit
  3. In Alternate domain name (CNAME), add <example_domain>
  4. In SSL certificate, choose Custom SSL certificate and select your ACM certificate (issued in us-east-1 and covering <example_domain>)
  5. Click Save/Yes, Edit and wait for the distribution to deploy

Source Code

Resource Type

AwsCloudFrontDistribution

References