Profile Applicability

  • Level 1

Description:

SSL/TLS certificates are used to secure communication between clients and services. Expired certificates pose a security risk, as they may allow unauthorized access or cause disruption in secure communication. In AWS, IAM (Identity and Access Management) stores SSL/TLS certificates, and it is essential to regularly remove expired certificates to avoid these risks.

By ensuring that expired SSL/TLS certificates are removed from IAM, organizations reduce the attack surface and avoid security vulnerabilities that can arise from using outdated or expired certificates.

Rationale:

Removing expired SSL/TLS certificates provides the following benefits:

  • Security: Prevents the use of outdated certificates, which could expose data to interception or unauthorized access.

  • Compliance: Meets security requirements and best practices for maintaining valid certificates for all secure communications.

  • Operational integrity: Avoids disruptions caused by expired certificates, ensuring that secure communications continue without interruption.

  • Automated management: Helps automate security hygiene by ensuring that expired certificates are identified and removed without manual intervention.

Without regularly removing expired certificates, organizations may unknowingly expose their systems to security vulnerabilities and compliance risks.

Impact:

Failure to remove expired SSL/TLS certificates from AWS IAM can result in:

  • Insecure communication: Expired certificates may still be accepted by clients or services, allowing insecure connections.

  • Non-compliance: Using expired certificates may violate regulatory requirements or industry standards that mandate certificate validity.

  • Potential attacks: Expired certificates can be exploited for man-in-the-middle attacks or impersonation attacks.

Regularly removing expired certificates ensures continued secure operations and compliance with security standards.

Default Value:

By default, expired SSL/TLS certificates remain in IAM until they are manually removed. Expired certificates do not automatically get deleted by AWS services.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • iam:ListServerCertificates

    • iam:DeleteServerCertificate

  • Access to IAM to view and manage certificates

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the IAM Console.

  2. In the Server Certificates section, review the list of certificates stored in IAM.

  3. Identify any certificates that have expired, and ensure that they are removed from the IAM list.

  4. Confirm that only active certificates are present.

Using AWS CLI :

To list all server certificates:

aws iam list-server-certificates --query "ServerCertificateMetadataList[].[ServerCertificateName,Expiration]" --output table

To identify expired certificates, filter the list by expiration date.

Implementation Plan:

Using AWS Console:

  1. Remove expired certificates manually:

    • Go to the IAM Console.

    • In the Server Certificates section, identify certificates that have expired.

    • Select the expired certificate(s) and click Delete to remove them.

  2. Verify the deletion:

    • After deleting, ensure that the expired certificates no longer appear in the list of server certificates.

Using AWS CLI:

  1. Delete expired SSL/TLS certificates:

    • First, list all certificates:

aws iam list-server-certificates --query "ServerCertificateMetadataList[].[ServerCertificateName,Expiration]" --output table

  • Then, delete expired certificates:

aws iam delete-server-certificate --server-certificate-name <certificate-name>

  1. Verify removal:

    • After deletion, confirm the certificate has been removed by listing the certificates again:

aws iam list-server-certificates --query "ServerCertificateMetadataList[].[ServerCertificateName]" --output table

Backout Plan:

Using AWS Console:

  1. If removing a certificate causes access issues:

    • Go to the IAM Console.

    • Re-upload the removed certificate if it is still needed for secure communication or access.

    • Ensure that the correct certificate is uploaded to avoid disruption of services.

  2. Reconfigure affected services: If a certificate is removed by mistake, update the affected services to use an active certificate.

Using AWS CLI:

  1. Re-upload a deleted certificate if necessary:

aws iam upload-server-certificate --server-certificate-name <certificate-name> --certificate-body file://<cert-body-file> --private-key file://<private-key-file> --certificate-chain file://<cert-chain-file>

  1. Verify the re-uploaded certificate:

aws iam list-server-certificates --query "ServerCertificateMetadataList[].[ServerCertificateName]" --output table

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services