Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Expired SSL/TLS Certificate

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: IAM-021

Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed in order to follow IAM security best practices.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Reliability

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which will trigger font-end errors and damage the credibility of the application/website behind the ELB.

Audit

To determine if there are any expired SSL/TLS certificates currently available in IAM, perform the following:

Note: Getting the certificates expiration information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).

Using AWS CLI

01 Run list-server-certificates command (OSX/Linux/UNIX) to list all the IAM-stored server certificates: 

aws iam list-server-certificates

02 The command output should return an array that contains all the SSL/TLS certificates currently stored in IAM and their metadata (name, ID, expiration date, etc): 

{
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateId": "CDDAJCJBZJVB2EHHVF7FD",
            "ServerCertificateName": "MySSLCertificate",
            "Expiration": "2016-05-20T23:59:59Z",
            "Path": "/",
            "Arn": "arn:aws:iam::123456789012:
                    server-certificate/MySSLCertificate",
            "UploadDate": "2015-06-01T11:56:08Z"
        }
    ]
}

Verify the Expiration parameter value (expiration date) for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any expired server certificates currently stored in AWS IAM. If so, use the AWS API to remove them (see the Remediation/Resolution section).

Remediation / Resolution

To delete any expired SSL/TLS certificates currently available in AWS IAM, perform the following:

Note: Removing invalid certificates via AWS Management Console is not currently supported. To delete SSL/TLS certificates stored in IAM via the AWS API use the Command Line Interface (CLI).

Using AWS CLI

01 First, run describe-load-balancers command (OSX/Linux/UNIX) to make sure that the expired server certificate that will be removed is not currently deployed on an active load balancer. The following command example returns the SSL certificate ARN for an AWS Elastic Load Balancer named MyWebELB: 

aws elb describe-load-balancers
	--region us-east-1
	--load-balancer-names MyWebELB
	--query 'LoadBalancerDescriptions[*].ListenerDescriptions[*].Listener.   SSLCertificateId'

02 The command output should return the Amazon Resource Name (ARN) for the SSL certificate currently used by the selected ELB: 

[
    [
        "arn:aws:iam::123456789012:server-certificate/MySSLCertificate"
    ]
]

Now compare the returned certificate ARN with each expired SSL/TLS certificate ARN (see the Audit section for the expired certificates ARNs). Based on ARN comparison, if one or more ELBs are using expired certificates follow the next step to remove the invalid certificates references before deleting them, otherwise continue with the step no. 4.

03 If the load balancer listener that use the invalid certificate is not removed before the certificate, the ELB may continue to use the certificate and work improperly. In order to avoid issues at the ELB level, run delete-load-balancer-listeners command (OSX/Linux/UNIX) to remove the ELB listener that is using the expired SSL certificate (the command does not produce an output): 

aws elb delete-load-balancer-listeners
	--region us-east-1
	--load-balancer-name MyWebELB
	--load-balancer-ports 443

04 Now that is safe to remove the expired SSL/TLS certificate from AWS IAM, run delete-server-certificate command (OSX/Linux/UNIX) using the name of the invalid certificate as identifier to remove it (the command does not produce an output): 

aws iam delete-server-certificate
	--server-certificate-name MySSLCertificate

References

Publication date May 25, 2016

Related IAM rules