Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed
Removing expired SSL/TLS certificates prevents accidental invalid certificate usage and is recommended as a best practice.
Risk Level: Low
Cloud Entity: IAM Server Certificate
CloudGuard Rule ID: D9.AWS.CRY.56
Covered by Spectral: Yes
Category: Security, Identity, & Compliance
GSL LOGIC
IamServerCertificate should not have expiration before(0, 'days')
REMEDIATION
From Command Line
To list all IAM server certificates, run:
aws iam list-server-certificates
To delete an expired IAM server certificate, run:
aws iam delete-server-certificate --server-certificate-name CERTIFICATE-NAME
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
- https://docs.aws.amazon.com/cli/latest/reference/iam/delete-server-certificate.html
IAM Server Certificate
To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use a server certificate provided by AWS Certificate Manager (ACM) or one that you obtained from an external provider. You can use ACM or IAM to store and deploy server certificates.
Compliance Frameworks
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CIS Foundations v. 2.0.0
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago