Description:
To enable HTTPS connections to your website or application on AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM console.
Rationale:
Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be accidentally deployed to a resource such as an AWS Elastic Load Balancer (ELB), which can damage the credibility of the application or website behind the ELB. As a best practice, it is recommended to delete expired certificates.
Impact:
Deleting a certificate can have implications for your application. If you are using an expired server certificate with Elastic Load Balancing, Cloud Front, etc., you must update the configuration of the respective service to ensure there is no application interruption.
Default Value:
By default, expired certificates won't get deleted.
Pre-Requisite:
IAM access
Remediation:
Test Plan:
AWS Console Process
Removing expired certificates via the AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API, use the Command Line Interface (CLI).
Using AWS CLI
Run list-server-certificates command (OSX/Linux/UNIX) to list all the IAM-stored server certificates.
aws iam list-server-certificates
The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc)
{
"ServerCertificateMetadataList": [
{
"ServerCertificateId": "CDDAJCJBZJVB2EHHVF7FD",
"ServerCertificateName": "MySSLCertificate",
"Expiration": "2016-05-20T23:59:59Z",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:
server-certificate/MySSLCertificate",
"UploadDate": "2015-06-01T11:56:08Z"
}
]
}
Verify the Expiration parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them.
{ { "ServerCertificateMetadataList": [] }
This means that there are no expired certificates; it DOES NOT mean that no certificates exist.
Implementation Plan:
AWS Console Process
Removing expired certificates via the AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI)
Using AWS CLI
To delete Expired Certificate run following command by replacing with the name of the certificate to delete
aws iam delete-server-certificate
--server-certificate-name <CertificateName>
Backout Plan:
N/A