Risk Level: Low

Cloud Entity: AWS Certificate Manager

CloudGuard Rule ID: D9.AWS.CRY.40

Covered by Spectral: No

Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate should not have status = 'EXPIRED'

REMEDIATION

From Portal

Sign in to the AWS Management Console.
Navigate to AWS ACM dashboard at https://console.aws.amazon.com/acm/.
Select the SSL/TLS certificate that you want to remove with the status as Expired.
Click on the expired certificate and review the certificate details (domain name and ID).
Click Delete to confirm the action.
Repeat step number 3 and 4 to remove other expired AWS ACM certificates available within the selected region.
Change the AWS region from the navigation bar and repeat the process for other regions.

From Command Line
Use the delete-certificate command to delete an expired certificate, as shown in the following command:

aws acm delete-certificate --certificate-arn ARN

References

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

AWS CIS Controls V 8
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset