Control: Ensure domains have a CAA record configured to whitelist a CA for issuing certificates

Description

The CAA record is a type of DNS record used to provide additional confirmation for the Certification Authority (CA) when validating an SSL certificate. With CAA in place, the attack surface for fraudulent certificates is reduced, effectively making sites more secure.

Usage

Run the control in your terminal:

powerpipe control run net_insights.control.ssl_certificate_caa_record_configured

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run net_insights.control.ssl_certificate_caa_record_configured --share

Steampipe Tables

net_dns_record

Params

Args	Name	Default	Description	Variable
$1	domain_names	`["github.com","microsoft.com"]`	DNS domain names.	domain_names

SQL

with domain_list as (
  select
    distinct domain
  from
    net_dns_record
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  order by
    domain
),
domain_with_caa_record as (
  select
    distinct domain
  from
    net_dns_record
  where
    domain in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
    and type = 'CAA'
)
select
  domain_list.domain as resource,
  case
    when domain_with_caa_record.domain is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when domain_with_caa_record.domain is not null then domain_list.domain || ' has CAA record.'
    else domain_list.domain || ' does not have a CAA record.'
  end as reason
from
  domain_list
  left join domain_with_caa_record on domain_list.domain = domain_with_caa_record.domain
order by
  domain_list.domain;