Control: Ensure domains have a CAA record configured to whitelist a CA for issuing certificates
Description
The CAA record is a type of DNS record used to provide additional confirmation for the Certification Authority (CA) when validating an SSL certificate. With CAA in place, the attack surface for fraudulent certificates is reduced, effectively making sites more secure.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.ssl_certificate_caa_record_configuredSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.ssl_certificate_caa_record_configured --shareSteampipe Tables
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | domain_names | | DNS domain names. |
SQL
with domain_list as ( select distinct domain from net_dns_record where domain in (select jsonb_array_elements_text(to_jsonb($1::text[]))) order by domain),domain_with_caa_record as ( select distinct domain from net_dns_record where domain in (select jsonb_array_elements_text(to_jsonb($1::text[]))) and type = 'CAA')select domain_list.domain as resource, case when domain_with_caa_record.domain is not null then 'ok' else 'alarm' end as status, case when domain_with_caa_record.domain is not null then domain_list.domain || ' has CAA record.' else domain_list.domain || ' does not have a CAA record.' end as reasonfrom domain_list left join domain_with_caa_record on domain_list.domain = domain_with_caa_record.domainorder by domain_list.domain;