Profile Applicability:
Level 1

Description:
This control ensures that all expired SSL/TLS certificates stored in AWS Identity and Access Management (IAM) are identified and removed. Expired certificates no longer provide valid encryption or authentication, and retaining them can cause configuration confusion, operational errors, or potential misuse. Removing expired certificates helps maintain a clean and secure certificate inventory.

Rationale:
Expired certificates cannot be used for secure communications or service authentication. Keeping them in the environment increases the risk of misconfiguration, such as inadvertently attaching an invalid certificate to a load balancer or service endpoint. Regularly auditing and deleting expired certificates ensures that only valid, trusted credentials are used, aligning with best practices and compliance requirements in CIS, SOC 2, ISO 27001, and PCI DSS.

Impact:
Positive Impact: Improves security hygiene by eliminating outdated and invalid certificates, reducing the risk of misconfiguration or accidental use of expired credentials.
Negative Impact: None significant, unless deleted certificates are still referenced in legacy configurations that have not been updated.

Default Value:
AWS does not automatically delete expired SSL/TLS certificates from IAM. They must be removed manually.

Pre-Requisite:

  • IAM permissions required: iam:ListServerCertificates, iam:GetServerCertificate, and iam:DeleteServerCertificate.

  • Ensure that the certificates are not actively used by Elastic Load Balancers, CloudFront distributions, or custom domains before deletion.

Test Plan 
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM → Certificate Management → Server certificates.

  3. Review the Expiration date for each certificate.

  4. Identify certificates that show an expiration date in the past.

  5. If expired certificates are still listed, the account is non-compliant.

Implementation Plan 
Using AWS Console:

  1. Navigate to IAM → Certificate Management → Server certificates.

  2. Review each certificate’s status and expiration date.

  3. For certificates that have expired:

    • Verify that the certificate is not in use by checking:

      • Elastic Load Balancing (EC2 → Load Balancers → Listeners)

      • CloudFront Distributions → SSL Certificate Settings

      • API Gateway Custom Domain Names → Certificate Settings

  4. Once confirmed unused, select the expired certificate.

  5. Click Delete server certificate and confirm the deletion.

  6. Replace any deleted certificate in use with a valid, unexpired one from AWS Certificate Manager (ACM) or IAM.

Backout Plan:

  1. If an expired certificate is deleted prematurely and still in use by a service, re-upload a valid replacement certificate immediately.

  2. For temporary recovery, use a backup of the old certificate and key pair, but only as a stopgap until a new certificate is issued.

References: