Ensure that none of the server certificates managed by AWS IAM were compromised by the Heartbleed bug, meaning that none of the SSL/TLS certificates were uploaded before April 1st 2014, when the security bug was publicly disclosed. Heartbleed is a critical bug in the OpenSSL library that allows attackers to eavesdrop on SSL/TLS encrypted communications, steal sensitive or confidential data from services and users and be able to impersonate services and users. Cloud Conformity strongly recommends to replace your insecure server certificates by revoking the compromised certificates, reissuing and upload them to AWS IAM or use Amazon Certificate Manager (ACM) service instead to issue new certificates.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using SSL/TLS certificates vulnerable to Heartbleed can allow attackers to extract sensitive data such as user names and passwords, instant messages, emails and critical documents directly from the system memory without leaving any traces. Once your X.509 certificates are compromised, any protection given by the encryption and the signatures within the certificates can be bypassed.
Note:Note: The SSL/TLS certificates cannot be managed from the AWS IAM Management Console, therefore you must upload, retrieve or delete these certificates programmatically using the AWS API. Because of this, Amazon Certificate Manager (ACM) represents the best AWS tool to provision, manage and deploy your server certificates. With AWS ACM You can use a SSL/TLS certificate provided by the ACM service or one that you purchased from an external provider.
Audit
To determine if there are any X.509 server certificates vulnerable to Heartbleed bug (i.e. certificates deployed before April 1, 2014) currently available within AWS IAM, perform the following:
Note: Getting the certificates information (metadata) via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates managed by AWS IAM use the Command Line Interface (CLI).Remediation / Resolution
To replace any SSL/TLS certificates that may have been compromised by the Heartbleed bug, perform the following commands:
Note: Managing SSL/TLS certificates stored within AWS IAM via AWS Management Console is not currently supported. To upload, deploy and delete server certificates, use the AWS API through the Command Line Interface (CLI).