Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Pre-Heartbleed Server Certificates

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-033

Ensure that none of the server certificates managed by AWS IAM were compromised by the Heartbleed bug, meaning that none of the SSL/TLS certificates were uploaded before April 1st 2014, when the security bug was publicly disclosed. Heartbleed is a critical bug in the OpenSSL library that allows attackers to eavesdrop on SSL/TLS encrypted communications, steal sensitive or confidential data from services and users and be able to impersonate services and users. Cloud Conformity strongly recommends to replace your insecure server certificates by revoking the compromised certificates, reissuing and upload them to AWS IAM or use Amazon Certificate Manager (ACM) service instead to issue new certificates.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using SSL/TLS certificates vulnerable to Heartbleed can allow attackers to extract sensitive data such as user names and passwords, instant messages, emails and critical documents directly from the system memory without leaving any traces. Once your X.509 certificates are compromised, any protection given by the encryption and the signatures within the certificates can be bypassed.

Note:Note: The SSL/TLS certificates cannot be managed from the AWS IAM Management Console, therefore you must upload, retrieve or delete these certificates programmatically using the AWS API. Because of this, Amazon Certificate Manager (ACM) represents the best AWS tool to provision, manage and deploy your server certificates. With AWS ACM You can use a SSL/TLS certificate provided by the ACM service or one that you purchased from an external provider.


Audit

To determine if there are any X.509 server certificates vulnerable to Heartbleed bug (i.e. certificates deployed before April 1, 2014) currently available within AWS IAM, perform the following:

Note: Getting the certificates information (metadata) via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates managed by AWS IAM use the Command Line Interface (CLI).

Using AWS CLI

01 Run list-server-certificates command (OSX/Linux/UNIX) to list the names of all IAM-managed server certificates:

aws iam list-server-certificates
	--query 'ServerCertificateMetadataList[*].ServerCertificateName'

02 The command output should return an array that contains the names of all the SSL/TLS certificates currently stored within AWS IAM:

[
    "FrontendSSLCertificate"
]

03 Run get-server-certificate command (OSX/Linux/UNIX) using the name of the certificate returned at the previous step as identifier and custom query filters to expose the date when the selected SSL/TLS certificate was uploaded to AWS IAM:

aws iam get-server-certificate
	--server-certificate-name FrontendSSLCertificate
	--query 'ServerCertificate.ServerCertificateMetadata.UploadDate'

04 The command output should return the upload date in human-readable format:

"2014-02-11T16:46:59Z"

If the command output returns an upload date before April 1st 2014 (as shown in the example above), the selected server certificate is vulnerable to Heartbleed security bug, therefore the risk of stealing the information protected by the SSL/TLS encryption is high.

05 Repeat step no. 3 and 4 to check the upload date for other SSL/TLS certificates, managed by the IAM service, available within your AWS account.

Remediation / Resolution

To replace any SSL/TLS certificates that may have been compromised by the Heartbleed bug, perform the following commands:

Note: Managing SSL/TLS certificates stored within AWS IAM via AWS Management Console is not currently supported. To upload, deploy and delete server certificates, use the AWS API through the Command Line Interface (CLI).

Using AWS CLI

01 Run delete-server-certificate command (OSX/Linux/UNIX) using the name of the insecure server certificate as identifier (see Audit section part I to identify the certificate vulnerable to Heartbleed), to remove it from AWS IAM (the command does not produce an output):

aws iam delete-server-certificate
	--server-certificate-name FrontendSSLCertificate




			

02 Once your SSL/TLS certificate has been revoked and reissued by its provider, run upload-server-certificate command (OSX/Linux/UNIX) to upload the new server certificate to AWS IAM service. The new SSL/TLS certificate includes a public key (the certificate body, e.g. SSLCertificate.pem file), a private key (e.g. SSLPrivateKey.pem), and an optional certificate chain (e.g SSLCertificateChain.pem), which should all be PEM-encoded. Make sure you use the same name (e.g. FrontendSSLCertificate) for your new server certificate so you don’t have to update the reference to it:

aws iam upload-server-certificate
	--server-certificate-name FrontendSSLCertificate
	--certificate-body file://SSLCertificate.pem
	--certificate-chain file://SSLCertificateChain.pem
	--private-key file://SSLPrivateKey.pem

03 The command output should return the new AWS IAM server certificate metadata:

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "ADYU4X2W6SUR5UB9DT",
        "ServerCertificateName": " FrontendSSLCertificate",
        "Expiration": "2018-06-12T23:59:59Z",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:server-certificate/FrontendSSLCertificate ",
        "UploadDate": "2017-06-12T16:46:59.068Z"
    }
}

Cloud Conformity also recommends the AWS Certificate Manager (ACM) service to provision, manage and deploy your new server certificates. With AWS ACM you can request a certificate, deploy it to your AWS resources and let Amazon handle certificate renewals for you.

04 Repeat steps no. 1 – 3 to replace other insecure SSL/TLS certificates managed by AWS IAM within your AWS account.

References

Publication date Jun 12, 2017