🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-aws-cloudtrail-log-detections
Overview
4Dashboards
86Benchmarks
96Queries
1Variables
GitHub

Detection: CloudFront Distribution Default Certificate Disabled

Overview

Detect when a CloudFront distribution's default certificate was disabled. Disabling default SSL/TLS certificates increases the risk of insecure communication by exposing sensitive data to interception or tampering during transmission. Ensuring encrypted communication with SSL/TLS is critical for protecting sensitive information and maintaining compliance with industry standards.

References:

Usage

Run the detection in your terminal:

powerpipe detection run aws_cloudtrail_log_detections.detection.cloudfront_distribution_default_certificate_disabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run aws_cloudtrail_log_detections.detection.cloudfront_distribution_default_certificate_disabled --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
string_split(event_source, '.')[1] || ':' || event_name as operation,
request_parameters ->> 'name' as resource,
user_identity.arn as actor,
tp_source_ip as source_ip,
tp_index as account_id,
aws_region as region,
tp_id as source_id,
*


from
  aws_cloudtrail_log
where
  event_source = 'cloudfront.amazonaws.com'
  and event_name in ('UpdateDistribution', 'CreateDistribution')
  and (request_parameters -> 'distributionConfig' -> 'viewerCertificate' -> 'cloudFrontDefaultCertificate') = false
order by
  event_time desc;

Tags

category = Detections
mitre_attack_ids = TA0005:T1562.001
plugin = aws
service = AWS/CloudFront