Skip to main content

πŸ›‘οΈ AWS IAM Server Certificate is expired🟒

  • Contextual name: πŸ›‘οΈ Server Certificate is expired🟒
  • ID: /ce/ca/aws/iam/delete-expired-server-certificate
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY

Logic​

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-12a853391

Description​

Open File

Description​

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.

Rationale​

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.

Impact​

Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc. One has to make configurations at respective services to ensure there is no interruption in application functionality.

... see more

Remediation​

Open File

Remediation​

From Console​

Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).

From Command Line​

To delete Expired Certificate run following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:

aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>

When the preceding command is successful, it does not return any output.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 4 Cryptographic key management refers to the generation, distribution, storage, renewal, revocation, recovery, archiving and destruction of encryption keys. Effective cryptographic key management ensures that controls are in place to reduce the risk of compromise of the security of cryptographic keys. Any compromise of the security of cryptographic keys could, in turn, lead to a compromise of the security of the information assets protected by the cryptographic technique deployed.67no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 44c loss of, or unauthorised access to, encryption keys safeguarding extremely critical or sensitive information assets.810no data
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed11no data
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed11no data
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed - Level 1 (Automated)11no data
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.19 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1no data
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.19 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1no data
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.18 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1no data
πŸ’Ό CIS AWS v6.0.0 β†’ πŸ’Ό 2.18 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Expiration Management13no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)61432no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-17 Public Key Infrastructure Certificates (M)(H)22no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)132no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5 Authenticator Management (L)(M)(H)432no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-17 Public Key Infrastructure Certificates (M)(H)2no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.4 Management of secret authentication information of users810no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.9 Inventory of information and36no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.10 Acceptable use of information and other associated assets1127no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.1 User end point devices813no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1934no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)1923no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4791no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization42no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-03: Users, services, and hardware are authenticated53no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties116no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected125no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected142no data
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-4 (5) EMBEDDED DATA TYPES11no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(5) Information Flow Enforcement _ Embedded Data Types11no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1822no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.222no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2922no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.1-9 Manages Credentials for Infrastructure and Software34no data
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.6-3 Requires Additional Authentication or Credentials46no data