Output Format

The plugin generates JSON output in the following format for each discovered certificate:

{
  "result_type": "scan",
  "plugin_id": "aws-cloudfront-plugin",
  "plugin_version": "1.1.0",
  "data": {
    "type": "cert",
    "timestamp": "2026-01-21T15:33:19+05:30",
    "urn": "URN_NUMBER",
    "url": "https://console.aws.amazon.com/cloudfront/v3/home?region=us-east-1#/distributions/DISTRIBUTION_ID",
    "extra": {
      "distribution_id": "DISTRIBUTION_ID",
      "distribution_arn": "arn:aws:cloudfront::ACCOUNT_ID:distribution/DISTRIBUTION_ID",
      "domain_name": "d21rsch7py4ncb.cloudfront.net",
      "distribution_status": "Deployed",
      "certificate_domain_name": "example.com",
      "certificate_arn": "arn:aws:acm:us-east-1:ACCOUNT_ID:certificate/...",
      "certificate_source": "acm",
      "minimum_protocol_version": "TLSv1.3_2025",
      "ssl_support_method": "sni-only",
      "issuer": "Entrust",
      "subject": "CN=example.com",
      "serial_number": "2b:41:0b:12:32:dc:fa:f0:84:86:a5:3c:ca:b7:f4:c6:f7:2d:55:18",
      "not_before": "2025-12-17T23:42:49Z",
      "not_after": "2026-12-17T23:42:49Z",
      "key_algorithm": "RSA-2048",
      "signature_algorithm": "SHA256WITHRSA"
    },
    "cert_pem": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
  }
}

Output Fields Explanation

Field

Description

distribution_id

CloudFront distribution ID (e.g., E1ZU6UPGYYF07)

distribution_arn

AWS ARN of the distribution

domain_name

CloudFront domain name (e.g., d21rsch7py4ncb.cloudfront.net)

distribution_status

Distribution status (Deployed, Deploying, Disabled)

certificate_domain_name

Certificate domain name (e.g., example.com)

certificate_arn

ACM certificate ARN

certificate_source

Source of certificate (acm = AWS Certificate Manager)

minimum_protocol_version

Minimum TLS version supported (e.g., TLSv1.3_2025)

ssl_support_method

SSL support method (sni-only, vip)

issuer

Certificate issuer name

subject

Certificate subject (CN, O, C, etc.)

serial_number

Certificate serial number

not_before

Certificate validity start date (RFC3339 format)

not_after

Certificate expiration date (RFC3339 format)

key_algorithm

Key algorithm (RSA-2048, EC-prime256v1, etc.)

signature_algorithm

Signature algorithm (SHA256WITHRSA, etc.)

cert_pem

Full certificate chain in PEM format (RFC 7468 compliant)

Supported Distributions

The plugin supports CloudFront distributions that use:

  • Custom ACM Certificates: Certificates from AWS Certificate Manager
  • Multiple Distributions: Scans all distributions with custom SSL certificates in a single operation
  • Distribution Configuration: Captures aliases, origins, cache behaviors, logging, geo-restrictions

The plugin does not currently support:

  • IAM certificates (legacy - use ACM instead)
  • Default CloudFront certificates

Limitations

  1. No Incremental Scans: Each scan processes all distributions (see Why No Incremental Scans section)
  2. CloudFront Global Service: Even when scanning a specific region, CloudFront distributions are global resources but must be accessed through the CloudFront API
  3. Certificate Chain: The plugin extracts metadata from the leaf certificate in the chain. Full chain is included in PEM output for browser/tool validation
  4. No Private Key Export: Private keys are never exported - only public certificate data is returned
  5. No IAM Certificates: Legacy IAM certificates are logged but not processed

Troubleshooting

Connection Issues

Error: "InvalidClientTokenId"

  • Cause: Access key ID is invalid or credentials are expired
  • Solution: Verify credentials in config file and ensure access key is active in IAM console

Error: "AccessDenied"

  • Cause: IAM user lacks required permissions
  • Solution: Verify IAM policy includes all required actions (see IAM Permissions section)

Error: "NoSuchEntity"

  • Cause: Invalid AWS account or region
  • Solution: Verify account ID and region in configuration

Certificate Issues

No Certificates Found

  • Cause: No CloudFront distributions with custom ACM certificates
  • Solution: Create a CloudFront distribution with custom ACM certificate (see AWS CloudFront documentation)

"Failed to decode PEM certificate"

  • Cause: Certificate data is malformed or corrupted
  • Solution: Verify certificate in ACM console is valid; regenerate if necessary

"Failed to parse certificate"

  • Cause: Certificate parsing error or unsupported certificate format
  • Solution: Ensure certificate is in valid X.509 format; contact AWS Support if issue persists

Related Documentation

Support

For issues or questions about this plugin:

  1. Review the troubleshooting section above
  2. Check CloudFront plugin logs for detailed error messages
  3. Verify AWS credentials and IAM permissions
  4. Consult AWS CloudFront and Certificate Manager documentation