Ensure the AWS Certificate Manager (ACM) has no unused certificates
Checks the ACM for unused certificates. It is recommended to delete unused certificates, or associate them (use them).
Risk Level: Low
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.28
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
AcmCertificate should have inUseBy with ['%arn%']
REMEDIATION
From Portal
Following are the steps to delete unused certificates:
- Open the ACM console at https://console.aws.amazon.com/acm/.
- In the list of certificates, select the check box for an ACM certificate, then choose Delete.
Alternatively, you can associate/use the unused certificate to the resource which requires the certificate.
From Command Line
Use the delete-certificate command to delete a certificate, as shown in the following command:
aws acm delete-certificate --certificate-arn ARN
References
- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html
AWS Certificate Manager
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago