SSL/TLS certificates expire in 45 days

Ensure that SSL/TLS server certificates stored in AWS IAM are renewed before their expiration date.

Risk Level: Informational
Cloud Entity: IAM Server Certificate
CloudGuard Rule ID: D9.AWS.CRY.57
Covered by Spectral: No
Category: Security, Identity, & Compliance


IamServerCertificate should not have expiration before(45, 'days')


Use the AWS IAM API to send an UploadServerCertificate request to update or replace the certificate in IAM.
Alternatively, where possible, use the AWS Certificate Manager (ACM) to manage your certificates, and automatically renew them.

From Command Line
To list all IAM server certificates, run:

aws iam list-server-certificates

To delete an expired IAM server certificate, run:

aws iam delete-server-certificate --server-certificate-name CERTIFICATE-NAME

To upload a new IAM server certificate, run:

aws iam upload-server-certificate --server-certificate-name CERTIFICATE-NAME --certificate-body CERTIFICATE-BODY-FILE --private-key CERTIFICATE-KEY-FILE --certificate-chain CERTIFICATE-CHAIN-FILE



IAM Server Certificate

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use a server certificate provided by AWS Certificate Manager (ACM) or one that you obtained from an external provider. You can use ACM or IAM to store and deploy server certificates.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset