Skip to main content

πŸ›‘οΈ AWS ACM Certificate Expired🟒

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-689858b51

Description​

Open File

Description​

Ensure that all expired Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates in AWS Certificate Manager (ACM) are removed. AWS Certificate Manager is a service that enables easy provisioning, management, and deployment of SSL/TLS certificates for use with other Amazon services such as Elastic Load Balancing (ELB) and CloudFront.

Rationale​

Removing expired certificates enhances security and helps maintain compliance with Amazon's Security Best Practices. Expired certificates may expose sensitive data to interception by malicious actors, posing security and credibility risks. By removing these certificates, organizations mitigate the risk of accidentally deploying invalid SSL/TLS certificates to resources such as Elastic Load Balancing (ELB), which could lead to front-end errors for web applications or websites reliant on ELB and might be perceived as a lack of maintenance or security awareness.

Audit​

This policy flags an AWS ACM Certificate as INCOMPLIANT if the Status field is set to EXPIRED.

... see more

Remediation​

Open File

Remediation​

From Command Line​

Run one of the following commands to request a new managed certificate, import a new externally obtained certificate, or remove the expired ACM certificate using the AWS CLI:

Request a new public certificate​
aws acm request-certificate \
    --domain-name {{www.example.com}} \
    --key-algorithm {{RSA_2048}} \
    --validation-method {{DNS}} \
    --idempotency-token {{1234}} \
    --options CertificateTransparencyLoggingPreference=DISABLED

Note: If you are requesting a public certificate, each domain name that you specify must be validated to verify that you own or control the domain.

Request a new private certificate​
aws acm request-certificate \
    --domain-name {{www.example.com}} \
    --idempotency-token {{12563}} \
    --certificate-authority-arn {{certificateAuthorityArn}}

Note: If you do not provide a {{certificateAuthorityArn}} and you are trying to request a private certificate, ACM will attempt to issue a public certificate.

Import a new certificate​

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management15no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES22no data