--- policy: /ce/ca/aws/iam/delete-expired-server-certificate logic: /ce/ca/aws/iam/delete-expired-server-certificate/prod.logic.yaml executionTime: 2026-06-06T12:02:59.432843833Z generationMs: 58 executionMs: 977 rows: - id: a1 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__expiration__c').beforeToday() actual: extract('CA10__expiration__c').beforeToday() runtimeError: {} - id: a2 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 200 actual: 200 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/iam/delete-expired-server-certificate/policy.yaml md5Hash: DE562426ED684637B4A9D5FB037D3D90 content: | --- names: full: AWS IAM Server Certificate is expired contextual: Server Certificate is expired description: "To enable HTTPS connections to your website or application in AWS, you\ \ need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy\ \ server certificates. Use IAM as a certificate manager only when you must support\ \ HTTPS connections in a region that is not supported by ACM. IAM securely encrypts\ \ your private keys and stores the encrypted version in IAM SSL certificate storage.\ \ IAM supports deploying server certificates in all regions, but you must obtain\ \ your certificate from an external provider for use with AWS. You cannot upload\ \ an ACM certificate to IAM. Additionally, you cannot manage your certificates from\ \ the IAM Console." type: COMPLIANCE_POLICY categories: - "SECURITY" - "RELIABILITY" frameworkMappings: - "/frameworks/cis-aws-v7.0.0/02/17" - "/frameworks/cloudaware/secret-and-certificate-governance/expiration-management" similarPolicies: internal: - dec-x-12a85339 cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/expired-ssl-tls-certificate.html name: Expired SSL/TLS Certificate awsSecurityHub: - name: "[IAM.26] Expired SSL/TLS certificates managed in IAM should be removed" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/iam-controls.html#iam-26" - path: /ce/ca/aws/iam/delete-expired-server-certificate/prod.logic.yaml md5Hash: 04D8035C256F572BEF90962472466FC9 content: "---\ninputType: \"CA10__CaAwsServerCertificate__c\"\ntestData:\n -\ \ file: test-data.json\nimportExtracts:\n - file: /types/CA10__CaAwsServerCertificate__c/object.extracts.yaml\n\ conditions:\n - status: \"INCOMPLIANT\"\n currentStateMessage: \"The IAM\ \ server certificate is expired.\"\n remediationMessage: \"Delete the expired\ \ IAM server certificate.\"\n check:\n IS_BEFORE_TODAY: \n arg:\n\ \ EXTRACT: CA10__expiration__c\notherwise:\n status: \"COMPLIANT\"\ \n currentStateMessage: \"The IAM server certificate is not expired.\"\n" - path: /ce/ca/aws/iam/delete-expired-server-certificate/test-data.json md5Hash: 9B2A582BEEB6C1D8D1FF2576EC220423 content: | [ { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "extract('CA10__expiration__c').beforeToday()", "runtimeError": null }, "context": { "snapshotTime": "2024-06-19T07:55:48Z" }, "Id": "a1", "CA10__disappearanceTime__c": null, "CA10__certificateName__c": "certificateName1", "CA10__expiration__c": "2019-07-24T16:15:54Z" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "200", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-06-19T07:55:48Z" }, "Id": "a2", "CA10__disappearanceTime__c": null, "CA10__certificateName__c": "certificateName2", "CA10__expiration__c": "2999-03-14T02:00:19Z" } ] - path: /types/CA10__CaAwsServerCertificate__c/object.extracts.yaml md5Hash: 4D35273CC60343F6F1212EB66D5DD434 content: "# yaml-language-server: $schema=../../schema/Extracts.schema.json\n\ ---\nextracts:\n# Not Nullable. Can't have no Access, retrieved via iam:ListServerCertificates\n\ \ - name: CA10__certificateName__c\n value:\n FIELD: \n path:\ \ CA10__certificateName__c\n undeterminedIf: \n isEmpty: \"\ Corrupted data. Certificate Name cannot be empty.\"\n# Not Nullable. Can't have\ \ no Access, retrieved via iam:ListServerCertificates\n - name: CA10__expiration__c\n\ \ value:\n FIELD: \n path: CA10__expiration__c\n undeterminedIf:\ \ \n isEmpty: \"Corrupted data. Certificate Expiration Data cannot\ \ be empty.\"" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "a1", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "extract('CA10__expiration__c').beforeToday()", "runtimeError" : null } }, { "Id" : "a2", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "200", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsServerCertificate__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-06-19T07:55:48Z") }, "CA10__expiration__c" : new Date("2019-07-24T16:15:54Z"), "Id" : "a1" }, { "context" : { "snapshotTime" : new Date("2024-06-19T07:55:48Z") }, "CA10__expiration__c" : new Date("2999-03-14T02:00:19Z"), "Id" : "a2" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsServerCertificate__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__expiration__c TIMESTAMP, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var IsEmptyLib = new function () { this.simpleIsEmpty = function(arg) { return arg == null; }; this.simpleIsNotEmpty = function(arg) { return arg != null; }; }(); var today = new Date(snapshotTime.toISOString().substr(0,10)+'T00:00:00.000Z').getTime(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (IsEmptyLib.simpleIsEmpty(obj.CA10__expiration__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__expiration__c.isEmpty()", currentStateMessage: "Corrupted data. Certificate Expiration Data cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__expiration__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Expiration [obj.CA10__expiration__c]: ' + obj.CA10__expiration__c); try { if (extract3.call(extract3) != null && extract3.call(extract3).getTime() < today) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__expiration__c').beforeToday()", currentStateMessage: "The IAM server certificate is expired.", currentStateReferences: references1.join('\n'), remediation: "Delete the expired IAM server certificate.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "The IAM server certificate is not expired.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__expiration__c AS CA10__expiration__c, sObject.Id AS Id, process_CA10__CaAwsServerCertificate__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__expiration__c AS CA10__expiration__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsServerCertificate__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;