--- title: Vulnerable default SSL certificate description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Vulnerable default SSL certificate --- # Vulnerable default SSL certificate {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `3a1e94df-6847-4c0e-a3b6-6c6af4e128ef` **Cloud Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Insecure Defaults #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) ### Description{% #description %} CloudFront web distributions should use custom SSL certificates, specified by setting the `viewer_certificate` block with the `acm_certificate_arn` and not the `cloudfront_default_certificate = true` attribute. Relying on the default CloudFront SSL certificate means content is only secured by the default CloudFront domain, which cannot use custom domain names and exposes the distribution to all clients without proper access restrictions. If left unaddressed, this can allow unintended public access and prevent granular control over who can securely access your content via custom domains. A secure configuration example should look like the following: ``` viewer_certificate { acm_certificate_arn = aws_acm_certificate_validation.cert.certificate_arn ssl_support_method = "sni-only" minimum_protocol_version = "TLSv1.2_2018" } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "aws_s3_bucket" "negative1" { # configs } resource "aws_cloudfront_distribution" "negative2" { origin { domain_name = aws_s3_bucket.negative1.bucket_regional_domain_name origin_id = local.s3_origin_id s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true is_ipv6_enabled = true comment = "Some comment" default_root_object = "index.html" default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = local.s3_origin_id forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "allow-all" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { acm_certificate_arn = aws_acm_certificate_validation.cert.certificate_arn ssl_support_method = "sni-only" minimum_protocol_version = "TLSv1.2_2018" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "aws_s3_bucket" "positive1" { # configs } resource "aws_cloudfront_distribution" "positive2" { origin { domain_name = aws_s3_bucket.positive1.bucket_regional_domain_name origin_id = local.s3_origin_id s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true is_ipv6_enabled = true comment = "Some comment" default_root_object = "index.html" default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = local.s3_origin_id forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "allow-all" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } } resource "aws_cloudfront_distribution" "positive3" { origin { domain_name = aws_s3_bucket.positive1.bucket_regional_domain_name origin_id = local.s3_origin_id s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true is_ipv6_enabled = true comment = "Some comment" default_root_object = "index.html" default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = local.s3_origin_id forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "allow-all" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { cloudfront_default_certificate = true } } resource "aws_cloudfront_distribution" "positive4" { origin { domain_name = aws_s3_bucket.positive1.bucket_regional_domain_name origin_id = local.s3_origin_id s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true is_ipv6_enabled = true comment = "Some comment" default_root_object = "index.html" default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = local.s3_origin_id forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "allow-all" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { acm_certificate_arn = aws_acm_certificate_validation.cert.certificate_arn } } ```