Ensure ACM certificate was not issued before the Heartbleed security bug fix
Ensure that certificates stored in AWS Certificate Manager are not exposed to the Heartbleed security bug (Issued before April 8, 2014).
Risk Level: Critical
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.59
Covered by Spectral: No
Category: Security, Identity, & Compliance
GSL LOGIC
AcmCertificate where status='ISSUED' should have ( notBefore>1396915200 and issuedAt=-62135596800 ) or issuedAt>1396915200
REMEDIATION
From Portal
- Go to 'Certificate Manager'
- Identify certificates that were issued before 'April 8, 2014' (Unix timestamp: 1396915200).
- Delete the certificates.
From TF
To delete an ACM certificate, delete the relevant entity:
resource "aws_acm_certificate" "example_cert" {
...
}
From Command Line
To list all ACM certificates, run:
aws acm --region REGION list-certificates
To check an ACM certificate issue date, run:
aws acm describe-certificate --region REGION --certificate-arn CERTIFICATE-ARN
To delete an ACM certificate, run:
aws acm delete-certificate --region REGION --certificate-arn CERTIFICATE-ARN
References
- https://heartbleed.com/
- https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/describe-certificate.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html
AWS Certificate Manager
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated over 1 year ago