Skip to main content

πŸ“ AWS IAM Server Certificate is expired 🟒

  • Contextual name: πŸ“ Server Certificate is expired 🟒
  • ID: /ce/ca/aws/iam/delete-expired-server-certificate
  • Located in: πŸ“ AWS IAM

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-12a853391

Logic​

Description​

Open File

Description​

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.

Rationale​

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.

Impact​

Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.

... see more

Remediation​

Open File

Remediation​

From Console​

Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).

From Command Line​

To delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:

aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>

When the preceding command is successful, it does not return any output.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.19 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.19 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.18 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management12
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61420
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1316
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-17 Public Key Infrastructure Certificates (M)(H)11
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)120
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)420
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-17 Public Key Infrastructure Certificates (M)(H)1
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1415
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.9 Inventory of information and35
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1114
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices911
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-4 (5) EMBEDDED DATA TYPES11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(5) Information Flow Enforcement _ Embedded Data Types11