AWS-IAM-expired-SSL-TLS-certificates-removed
- naveen
Severity: High
Description: This control ensures that there are no expired server certificates stored in AWS IAM. SSL/TLS server certificate are used to enable HTTPS connections to website or application in AWS. IAM can store and deploy server certificates. Use IAM as a certificate manager only when it must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, it must be obtain from an external provider for use with AWS.
Remediation Steps:
Perform following to delete expired server certificate using AWS CLI:
aws iam delete-server-certificate --server-certificate-name [CERTIFICATE_NAME].
Important:
To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI)..
Reference:
CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.19
Manage server certificates in IAM - AWS Identity and Access Management
delete-server-certificate — AWS CLI 1.36.6 Command Reference
Blue Hexagon Proprietary