Ensure ACM certificate was not issued before the Heartbleed security bug fix

Risk Level: Critical
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.59
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate where status='ISSUED' should have ( notBefore>1396915200 and issuedAt=-62135596800 ) or issuedAt>1396915200

REMEDIATION

From Portal

1. Go to 'Certificate Manager'
2. Identify certificates that were issued before 'April 8, 2014' (Unix timestamp: 1396915200).
3. Delete the certificates.

From TF
To delete an ACM certificate, delete the relevant entity:

resource "aws_acm_certificate" "example_cert" {
	...
}

From Command Line
To list all ACM certificates, run:

aws acm --region REGION list-certificates

To check an ACM certificate issue date, run:

aws acm describe-certificate --region REGION --certificate-arn CERTIFICATE-ARN

To delete an ACM certificate, run:

aws acm delete-certificate --region REGION --certificate-arn CERTIFICATE-ARN

References

1. https://heartbleed.com/
2. https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html
5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/describe-certificate.html
6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

• AWS CloudGuard Best Practices
• AWS CloudGuard SOC2 based on AICPA TSC 2017
• AWS HITRUST v11.0.0
• AWS MITRE ATT&CK Framework v11.3
• AWS NIST 800-53 Rev 5
• AWS PCI-DSS 4.0
• CloudGuard AWS All Rules Ruleset
• CloudGuard AWS Default Ruleset