Profile Applicability:

  • Level 1


Description:

This control ensures that AWS Certificate Manager (ACM) certificates issued by Amazon have Certificate Transparency (CT) logging enabled. CT logging helps detect misissued or maliciously issued SSL/TLS certificates by publishing them in publicly auditable, tamper-evident logs. This ensures transparency and trust in certificate issuance across the internet.


Rationale:

Certificate Transparency is a critical security measure that allows domain owners, browsers, and third parties to monitor and verify the validity of SSL/TLS certificates issued for their domains. Enabling CT logging helps detect:

  • Misissued or rogue certificates.

  • Unauthorized certificate issuance by compromised or malicious certificate authorities (CAs).

  • Potential phishing or spoofing domains impersonating your brand.

CT logging strengthens overall internet trust and is required by major browsers such as Chrome and Safari for certificates to be trusted.


Impact:

  • Positive Impact:Increases visibility into certificate issuance.Enhances domain ownership validation and public accountability.Strengthens defense against unauthorized certificate use.
  • Negative Impact:None. CT logging only publishes non-sensitive metadata; it does not expose private keys or sensitive data.


Default Value:

By default, AWS ACM-managed public certificates have CT logging enabled automatically and cannot be disabled.
However, private ACM certificates (issued via ACM Private CA) do not support CT logging.

Pre-Requisite:

  • IAM permissions required:

    • acm:ListCertificates

    • acm:DescribeCertificate

  • Certificates must be issued by AWS Certificate Manager (ACM).

Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Certificate Manager (ACM).

  3. Select a certificate from the list.

  4. Under the Details section, review the Certificate Transparency Logging field.

  5. Confirm that it displays Enabled for all public ACM certificates.

  6. For private CA-issued certificates, note that CT logging is not applicable.


Implementation Plan

Using AWS Console:

  1. Navigate to ACM → Certificates → Request a certificate.

  2. When requesting a public certificate, CT logging will automatically be enabled and cannot be disabled.

  3. For existing certificates, review each certificate’s Certificate Transparency logging status:

    • Public certificates → CT logging is enabled by default.

    • Private certificates → CT logging is not supported, no action required.

  4. If you are using a third-party certificate imported into ACM, verify that it has been logged in public CT logs using tools like:


Backout Plan

Using AWS Console:

  • There is no need to disable CT logging; it is a best practice to always keep it enabled.

  • AWS-managed public certificates cannot have CT logging disabled.

Using AWS CLI:

  • AWS does not provide a CLI command to disable CT logging for ACM-managed certificates.


References: