For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-wildcard-in-acm-certificate-domain-name.md.
A documentation index is available at /llms.txt.
Using a bare wildcard (*) as an ACM certificate DomainName creates overly broad trust and can enable certificate issuance or use that is not tied to a specific domain. This increases the risk of impersonation and unauthorized TLS termination.
For AWS::CertificateManager::Certificate resources, Properties.DomainName must be a valid domain or a properly scoped wildcard subdomain (for example, example.com or *.example.com) and must not be the single character *. Resources where DomainName is exactly * will be flagged. Use explicit hostnames or scoped wildcard names and, if you need multiple names, list them in SubjectAlternativeNames rather than using a universal wildcard.
AWSTemplateFormatVersion:'2010-09-09'Parameters:DomainName:Description:"Domain for which you are requesting a cert"Type:StringDefault:example.com#Put your own domain name hereHostedZoneId:Description:"hosted zone id in which CNAME record for the validation needs to be added"Type:StringDefault:XYZABCDERYH#Put the hosted zone id in which CNAME record for the validation needs to be addedResources:Certificate:Type:AWS::CertificateManager::CertificateProperties:DomainName:CMDomainDomainValidationOptions:- DomainName:!Ref DomainNameHostedZoneId:!Ref HostedZoneIdValidationMethod:'DNS'
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"DomainName":{"Type":"String","Default":"example.com","Description":"Domain for which you are requesting a cert"},"HostedZoneId":{"Description":"hosted zone id in which CNAME record for the validation needs to be added","Type":"String","Default":"XYZABCDERYH"}},"Resources":{"Certificate":{"Type":"AWS::CertificateManager::Certificate","Properties":{"DomainName":"CMDomain","DomainValidationOptions":[{"HostedZoneId":"HostedZoneId","DomainName":"DomainName"}],"ValidationMethod":"DNS"}}}}
Non-Compliant Code Examples
AWSTemplateFormatVersion:'2010-09-09'Parameters:DomainName:Description:"Domain for which you are requesting a cert"Type:StringDefault:example.com#Put your own domain name hereHostedZoneId:Description:"hosted zone id in which CNAME record for the validation needs to be added"Type:StringDefault:XYZABCDERYH#Put the hosted zone id in which CNAME record for the validation needs to be addedResources:Certificate:Type:AWS::CertificateManager::CertificateProperties:DomainName:"*"DomainValidationOptions:- DomainName:!Ref DomainNameHostedZoneId:!Ref HostedZoneIdValidationMethod:'DNS'
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"HostedZoneId":{"Type":"String","Default":"XYZABCDERYH","Description":"hosted zone id in which CNAME record for the validation needs to be added"},"DomainName":{"Description":"Domain for which you are requesting a cert","Type":"String","Default":"example.com"}},"Resources":{"Certificate":{"Type":"AWS::CertificateManager::Certificate","Properties":{"DomainName":"*","DomainValidationOptions":[{"DomainName":"DomainName","HostedZoneId":"HostedZoneId"}],"ValidationMethod":"DNS"}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
