turbot/aws_compliance

Control: 1.19 Ensure that all expired SSL/TLS certificates stored in AWS IAM are removed

Description

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB. As a best practice, it is recommended to delete expired certificates.

Remediation

From Console:

Removing expired certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM through the AWS API, use the Command Line Interface (CLI).

From Command Line:

To delete an expired certificate, run the following command by replacing <CERTIFICATE_NAME> with the name of the certificate to delete:

aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>

When the preceding command is successful, it does not return any output.

Default Value:

By default, expired certificates will not be deleted.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v400_1_19

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v400_1_19 --share

SQL

This control uses a named query:

iam_server_certificate_not_expired

Tags