Profile Applicability:
Level 1
Description:
Certificate Authorities (CAs) are trusted entities that issue digital certificates used to verify the identity of services. CA certificates should be regularly rotated to ensure that compromised certificates do not persist in the system. Regular rotation ensures up-to-date security standards and minimizes the risk of potential vulnerabilities.
Rationale:
Over time, cryptographic algorithms used in certificates may become weaker, or a certificate may be exposed to attackers. Rotating CA certificates helps mitigate these risks by ensuring that only trusted, secure certificates are in use and by revoking those that could be compromised.
Impact:
Pros:
Enhances the security posture by ensuring certificates remain valid and secure.
Reduces the chances of a compromised certificate being used.
Cons:
Rotation of certificates requires a robust management process to ensure there are no service interruptions.
Potentially requires updates to systems and services that trust the CA certificates.
Default Value:
The default value for CA certificate rotation is typically set according to the certificate authority's policies. By default, many systems do not automatically rotate CA certificates.
Pre-requisites:
Access to the Docker configuration and management tools.
Knowledge of the certificate management process and rotation policies.
Remediation:
Test Plan:
Using AWS Console:
Navigate to the EC2 instance hosting Docker.
Check the Docker container's SSL/TLS configuration for any expired or soon-to-expire certificates.
Verify that the system is configured to automatically check for updates or certificate expiration warnings.
Using AWS CLI:
Connect to the EC2 instance.
Run the following command to check for certificate expiry:
openssl x509 -in /path/to/certificate.pem -noout -dates
Ensure the certificate is updated or replaced before expiration.
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Replace the old CA certificates with new ones provided by your CA.
Update Docker to use the newly rotated CA certificates.
Restart the Docker service:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to remotely replace the CA certificates and restart Docker.
Run the following command to update the certificates:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo cp /path/to/new-ca-cert.pem /etc/ssl/certs/ && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Replace the new CA certificates with the previous versions.
Restart Docker:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to revert the CA certificates back to their previous versions and restart Docker.
Run the following commands:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" - -parameters 'commands=["sudo cp /path/to/old-ca-cert.pem /etc/ssl/certs/ && sudo systemctl restart docker"]'
References:
CIS Docker Benchmark v1.7
Docker Documentation on Security: https://docs.docker.com/engine/security/