ALB secured listener certificate expires in one week

Ensure that SSL/TLS certificates stored in AWS IAM are renewed one week before expiry.

Risk Level: High
Cloud Entity: Application Load Balancer
CloudGuard Rule ID: D9.AWS.CRY.12
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

ApplicationLoadBalancer should not have listeners contain [ certificates contain [ expiration before(7, 'days') ] ]

REMEDIATION

From Portal

  1. Login to the AWS Management Console.
  2. Navigate to EC2 dashboard
  3. Go to Load Balancing and click Load Balancers.
  4. Select the Application Load Balancer for which certificate is expiring in one week.
  5. Navigate to the Load Balancer section, and then the Listeners tab. Select the listener and click on View/edit certificates tab, and then click Add Certificate. You can add or import ACM or IAM certificates from here.

From Command Line
Run below Command to replace the SSL certificates that are about to expire with new certificates uploaded to IAM.

aws iam upload-server-certificate --server-certificate-name EXAMPLE_CERTIFICATE --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

Run below command to replace the ELB existing SSL certificate with the newly one uploaded to AWS IAM through upload command in previous step.

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name EXAMPLE_NAME --load-balancer-port 443 --ssl-certificate-id EXAMPLE_CERTIFICATE_ID

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
  2. https://aws.amazon.com/certificate-manager/
  3. https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html

Application Load Balancer

An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset