Output Format

The plugin generates JSON output in the following format for each discovered certificate:

{
  "result_type": "scan",
  "plugin_id": "aws-cloudfront-plugin",
  "plugin_version": "1.1.0",
  "data": {
    "type": "cert",
    "timestamp": "2026-01-21T15:33:19+05:30",
    "urn": "URN_NUMBER",
    "url": "https://console.aws.amazon.com/cloudfront/v3/home?region=us-east-1#/distributions/DISTRIBUTION_ID",
    "extra": {
      "distribution_id": "DISTRIBUTION_ID",
      "distribution_arn": "arn:aws:cloudfront::ACCOUNT_ID:distribution/DISTRIBUTION_ID",
      "domain_name": "d21rsch7py4ncb.cloudfront.net",
      "distribution_status": "Deployed",
      "certificate_domain_name": "example.com",
      "certificate_arn": "arn:aws:acm:us-east-1:ACCOUNT_ID:certificate/...",
      "certificate_source": "acm",
      "minimum_protocol_version": "TLSv1.3_2025",
      "ssl_support_method": "sni-only",
      "issuer": "Entrust",
      "subject": "CN=example.com",
      "serial_number": "2b:41:0b:12:32:dc:fa:f0:84:86:a5:3c:ca:b7:f4:c6:f7:2d:55:18",
      "not_before": "2025-12-17T23:42:49Z",
      "not_after": "2026-12-17T23:42:49Z",
      "key_algorithm": "RSA-2048",
      "signature_algorithm": "SHA256WITHRSA"
    },
    "cert_pem": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
  }
}

Output Fields Explanation

Supported Distributions

The plugin supports CloudFront distributions that use:

• Custom ACM Certificates: Certificates from AWS Certificate Manager
• Multiple Distributions: Scans all distributions with custom SSL certificates in a single operation
• Distribution Configuration: Captures aliases, origins, cache behaviors, logging, geo-restrictions

The plugin does not currently support:

• IAM certificates (legacy - use ACM instead)
• Default CloudFront certificates

Limitations

1. No Incremental Scans: Each scan processes all distributions (see Why No Incremental Scans section)
2. CloudFront Global Service: Even when scanning a specific region, CloudFront distributions are global resources but must be accessed through the CloudFront API
3. Certificate Chain: The plugin extracts metadata from the leaf certificate in the chain. Full chain is included in PEM output for browser/tool validation
4. No Private Key Export: Private keys are never exported - only public certificate data is returned
5. No IAM Certificates: Legacy IAM certificates are logged but not processed

Troubleshooting

Connection Issues

Error: "InvalidClientTokenId"

• Cause: Access key ID is invalid or credentials are expired
• Solution: Verify credentials in config file and ensure access key is active in IAM console

Error: "AccessDenied"

• Cause: IAM user lacks required permissions
• Solution: Verify IAM policy includes all required actions (see IAM Permissions section)

Error: "NoSuchEntity"

• Cause: Invalid AWS account or region
• Solution: Verify account ID and region in configuration

Certificate Issues

No Certificates Found

• Cause: No CloudFront distributions with custom ACM certificates
• Solution: Create a CloudFront distribution with custom ACM certificate (see AWS CloudFront documentation)

"Failed to decode PEM certificate"

• Cause: Certificate data is malformed or corrupted
• Solution: Verify certificate in ACM console is valid; regenerate if necessary

"Failed to parse certificate"

• Cause: Certificate parsing error or unsupported certificate format
• Solution: Ensure certificate is in valid X.509 format; contact AWS Support if issue persists

Related Documentation

• AWS CloudFront Documentation
• AWS Certificate Manager Documentation

Support

For issues or questions about this plugin:

1. Review the troubleshooting section above
2. Check CloudFront plugin logs for detailed error messages
3. Verify AWS credentials and IAM permissions
4. Consult AWS CloudFront and Certificate Manager documentation