Ensure the AWS Certificate Manager (ACM) has no unused certificates

Checks the ACM for unused certificates. It is recommended to delete unused certificates, or associate them (use them).

Suggest Edits

Risk Level: Low
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.28
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate should have inUseBy with ['%arn%']

REMEDIATION

From Portal
Following are the steps to delete unused certificates:

  1. Open the ACM console at https://console.aws.amazon.com/acm/.
  2. In the list of certificates, select the check box for an ACM certificate, then choose Delete.

Alternatively, you can associate/use the unused certificate to the resource which requires the certificate.

From Command Line
Use the delete-certificate command to delete a certificate, as shown in the following command:

aws acm delete-certificate --certificate-arn ARN

References

  1. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago