Skip to main content

πŸ“ AWS ACM Certificate Expired 🟒

  • Contextual name: πŸ“ Certificate Expired 🟒
  • ID: /ce/ca/aws/acm/certificate-expired
  • Located in: πŸ“ AWS ACM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-689858b51

Logic​

Description​

Open File

Description​

Ensure that all expired Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates in AWS Certificate Manager (ACM) are removed. AWS Certificate Manager is a service that allows easy provisioning, management, and deployment of SSL/TLS certificates for use with other Amazon services like Elastic Load Balancing (ELB) and CloudFront.

Rationale​

Removing expired certificates enhances security and helps maintain compliance with Amazon's Security Best Practices. Expired certificates may expose sensitive data to interception by malicious actors, posing security and credibility risks. By removing these certificates, organizations mitigate the risk of accidentally deploying invalid SSL/TLS certificates to resources such as Elastic Load Balancing (ELB), which could lead to front-end errors for web applications or websites reliant on ELB and might be perceived as a lack of maintenance or security awareness.

Audit​

This policy will mark a certificate as INCOMPLIANT if the Status field is set to EXPIRED.

... see more

Remediation​

Open File

Remediation​

From Command Line​

Perform one of the following commands to request a new managed certificate, import a new externally obtained certificate, or remove the expired ACM certificate via the AWS CLI:

Request a new public certificate​
aws acm request-certificate \
--domain-name {{www.example.com}} \
--key-algorithm {{RSA_2048}} \
--validation-method {{DNS}} \
--idempotency-token {{1234}} \
--options CertificateTransparencyLoggingPreference=DISABLED

Note: If you are requesting a public certificate, each domain name that you specify must be validated to verify that you own or control the domain.

Request a new private certificate​
aws acm request-certificate \
--domain-name {{www.example.com}} \
--idempotency-token {{12563}} \
--certificate-authority-arn {{certificateAuthorityArn}}

Note: If you do not provide a {{certificateAuthorityArn}} and you are trying to request a private certificate, ACM will attempt to issue a public certificate.

Import a new certificate​
aws acm import-certificate \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management12
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES22