SSL/TLS certificates expire in one week

Ensure that SSL/TLS certificates stored in AWS IAM are renewed one week before expiry.

Risk Level: High
Cloud Entity: IAM Server Certificate
CloudGuard Rule ID: D9.AWS.CRY.08
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

IamServerCertificate should not have expiration before(7, 'days')

REMEDIATION

From Portal

  1. Login to the AWS Management Console.
  2. Navigate to EC2 dashboard
  3. Go to Load Balancing and click Load Balancers.
  4. Select the Elastic Load Balancer for which certificate is expiring in 7 days.
  5. Select the Listeners tab and click the Change link in the SSL Certificate column.
  6. In the Select Certificate dialog box, perform the following actions:
    a. If you have already deployed a certificate with AWS Certificate Manager (ACM), select Choose an existing certificate from AWS Certificate Manager (ACM) and choose the new SSL certificate from the Certificate dropdown list.
    b. If you have already uploaded an SSL certificate to AWS IAM, select Choose an existing certificate from AWS Identity and Access Management (IAM) and choose the new SSL certificate from the Certificate dropdown list.
    c. If you have not yet uploaded an SSL/TLS certificate to AWS IAM, select Upload a new SSL certificate to AWS IAM to deploy the new SSL certificate by entering the required data provided by the SSL certificate provider.
  7. Click Save to apply the new SSL certificate and replace the one that is about to expire.

Note: You can perform the same steps for all load balancer that needs SSL/TLS certificates renewal.

From Command Line
Run below Command to replace the SSL certificates that are about to expire with new certificates uploaded to IAM.

aws iam upload-server-certificate --server-certificate-name EXAMPLE_CERTIFICATE --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

Run below command to replace the ELB existing SSL certificate with the newly one uploaded to AWS IAM through upload command in previous step.

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name EXAMPLE_NAME --load-balancer-port 443 --ssl-certificate-id EXAMPLE_CERTIFICATE_ID

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
  2. https://aws.amazon.com/certificate-manager/

IAM Server Certificate

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use a server certificate provided by AWS Certificate Manager (ACM) or one that you obtained from an external provider. You can use ACM or IAM to store and deploy server certificates.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset