Profile Applicability:

Level 1

Description:

AWS IAM allows users to store SSL/TLS certificates for use with AWS services such as Elastic Load Balancers (ELB) and CloudFront. Certificates must be regularly reviewed and expired certificates must be removed to avoid unintended usage.

Rationale:

  • Expired certificates may lead to application failures if deployed on AWS services such as ELB, CloudFront, or API Gateway.

  • Ensures compliance with security policies requiring the removal of outdated certificates.

  • Reduces risk of security incidents, such as man-in-the-middle (MITM) attacks due to outdated cryptographic material.

Impact:

  • Deleting expired certificates may affect applications if they are still in use by AWS services.

  • Before removal, verify that the expired certificate is not in use.

  • If a certificate is actively used, it should be replaced with a valid one before deletion.

Default Value:

By default:

  • IAM does not automatically delete expired SSL/TLS certificates.

  • Expired certificates remain stored in IAM indefinitely until manually removed.

Pre-Requisites:

  1. IAM Administrator Access:

    • Required permissions:

      • iam:ListServerCertificates

      • iam:GetServerCertificate

      • iam:DeleteServerCertificate

  2. AWS CLI Installed (optional for automation).

  3. Access to AWS ACM (if migrating to managed certificates).

Remediation:

Test Plan:

Using CLI

List all IAM-stored certificates:

 aws iam list-server-certificates --query "ServerCertificateMetadataList[*].[ServerCertificateName, Expiration]" --output table

Review the output:
 -------------------------------------------------

|            ListServerCertificates             |

+------------------------+----------------------+

| MyExpiredCert          | 2023-12-01T23:59:59Z |

| ActiveCert2024         | 2024-07-10T23:59:59Z |

+------------------------+----------------------+

  • Check for expired certificates: If the expiration date is in the past, the certificate must be removed.

Implementation Steps:

Step 1: Verify Certificate Usage - Before deleting a certificate, check if it is actively used in:

  • Elastic Load Balancers (ELB)

  • CloudFront Distributions

  • API Gateway

  • Check ELB for expired certificates - List all ELBs and their associated certificates:
aws elb describe-load-balancers --query "LoadBalancerDescriptions[*].{Name:LoadBalancerName,CertArn:ListenerDescriptions[*].Listener.SSLCertificateId}"
  • If the expired certificate is attached, replace it with a valid one before deletion.

Step 2: Delete Expired Certificates- Delete an expired certificate:

 aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>

 Example:

 aws iam delete-server-certificate --server-certificate-name MyExpiredCert
  • Verify deletion by running the audit command again:
 aws iam list-server-certificates


Backout Plan:

If an expired certificate was mistakenly deleted: Re-upload the certificate to IAM:

aws iam upload-server-certificate --server-certificate-name <CERT_NAME> --certificate-body file://certificate.pem --private-key file://private-key.pem --certificate-chain file://ca-chain.pem --path /cloudfront/

Verify that the certificate is available again in IAM:

 aws iam list-server-certificates
References:

CIS Controls Mapping:


CIS Control Version

Control ID

Control Description

CIS v8

3.1

Establish a data management process, including handling and disposal of sensitive data.

CIS v7

13.1

Maintain an inventory of sensitive information stored, processed, or transmitted by the organization's systems.