Risk Level: Critical
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.59
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate where status='ISSUED' should have ( notBefore>1396915200 and issuedAt=-62135596800 ) or issuedAt>1396915200

REMEDIATION

From Portal

Go to 'Certificate Manager'
Identify certificates that were issued before 'April 8, 2014' (Unix timestamp: 1396915200).
Delete the certificates.

From TF
To delete an ACM certificate, delete the relevant entity:

resource "aws_acm_certificate" "example_cert" {
	...
}

From Command Line
To list all ACM certificates, run:

aws acm --region REGION list-certificates

To check an ACM certificate issue date, run:

aws acm describe-certificate --region REGION --certificate-arn CERTIFICATE-ARN

To delete an ACM certificate, run:

aws acm delete-certificate --region REGION --certificate-arn CERTIFICATE-ARN

References

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST v11.0.0
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset
CloudGuard AWS Default Ruleset