AWS_IAM_23

Ensure all SSL/TLS certificates are greater than 30 days from expiration

Description

Public SSLTLS certificates that are used for AWS resources such as the ELB or CloudFront should always be renewed prior to expiration both as a security best practice and to ensure the reputation of the web application is not impacted by an expired certificate.

Remediation

Using the Amazon unified command line interface:

  • Request a certificate renewal from your CA, and upload the new certificate in IAM:
    aws iam upload-server-certificate –server-certificate-name <ssl_certificate_name> –certificate-body file://public_key_cert_file.pem –private-key file://my_private_key.pem –certificate-chain file://my_certificate_chain_file.pem
  • For Amazon Certificate Manager users the renewal is managed by ACM service


References:

  1. http://docs.aws.amazon.com/cli/latest/reference/iam/list-server-certificates.html
  2. http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html
  3. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
  4. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs_manage.html
  5. https://docs.aws.amazon.com/cli/latest/reference/acm/describe-certificate.html
  6. https://docs.aws.amazon.com/cli/latest/reference/acm/list-certificates.html

Service

IAM

Severity

High

Compliance

Mapping

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!