Ensure ACM certificate was not issued before the Heartbleed security bug fix

Ensure that certificates stored in AWS Certificate Manager are not exposed to the Heartbleed security bug (Issued before April 8, 2014).

Risk Level: Critical
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.59
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate where status='ISSUED' should have ( notBefore>1396915200 and issuedAt=-62135596800 ) or issuedAt>1396915200

REMEDIATION

From Portal

  1. Go to 'Certificate Manager'
  2. Identify certificates that were issued before 'April 8, 2014' (Unix timestamp: 1396915200).
  3. Delete the certificates.

From TF
To delete an ACM certificate, delete the relevant entity:

resource "aws_acm_certificate" "example_cert" {
	...
}

From Command Line
To list all ACM certificates, run:

aws acm --region REGION list-certificates

To check an ACM certificate issue date, run:

aws acm describe-certificate --region REGION --certificate-arn CERTIFICATE-ARN

To delete an ACM certificate, run:

aws acm delete-certificate --region REGION --certificate-arn CERTIFICATE-ARN

References

  1. https://heartbleed.com/
  2. https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/list-certificates.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/describe-certificate.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset
  • CloudGuard AWS Default Ruleset