Use the Conformity Knowledge Base AI to help improve your Cloud Posture

SSL/TLS Certificate Expiry 30 Days

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-019

Ensure that your SSL/TLS certificates stored in AWS IAM are renewed 30 (thirty) days before their validity period ends.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

When SSL/TLS certificates are not renewed prior to their expiration date, these become invalid and the communication between the client and the AWS resource that implements the certificates (e.g. AWS ELB) is no longer secure.

Note: This guide is using the Elastic Load Balancer (ELB) as the AWS resource that implements server certificates managed by IAM and is assuming that the ELBs verified are using valid SSL/TLS certificates for their HTTPS/SSL front-end listeners.


Audit

To determine if the SSL/TLS certificates currently stored in IAM are about to expire in 30 days, you need to perform the following:

Note: Getting the certificates expiration information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates stored in AWS IAM use the Command Line Interface (CLI).

Using AWS CLI

01 Run list-server-certificates command (OSX/Linux/UNIX) to list all the SSL/TLS server certificates currently stored in IAM:

aws iam list-server-certificates

02 The command output should return an array that contains all the server certificates stored in IAM and their metadata (name, ID, expiration date, etc):

{
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateId": "ABDAJCJBZJVB2EHHVF30DE",
            "ServerCertificateName": "MySSLCertificate",
            "Expiration": "2016-05-24T23:59:59Z",
            "Path": "/",
            "Arn": "arn:aws:iam::3433668555130:
                    server-certificate/MySSLCertificate",
            "UploadDate": "2016-04-01T11:56:08Z"
        }
    ]
}

Verify the Expiration parameter value for each SSL/TLS certificate returned by the list-server-certificates command and determine if there are any certificates that are about to expire in 30 days from now and which require to be renewed (see Remediation/Resolution section for the renewal process).

Remediation / Resolution

To renew (replace) the SSL/TLS certificates currently deployed on your Elastic Load Balancers, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under LOAD BALANCING, click Load Balancers.

04 Select the Elastic Load Balancer that is using the certificate which is about to expire.

05 Select the Listeners tab from the bottom panel and click the Change link available in the SSL Certificate column.

06 In the Select Certificate dialog box, perform one of the following actions:

  1. If you have already deployed a certificate with AWS Certificate Manager (ACM), select Choose an existing certificate from AWS Certificate Manager (ACM) and choose the new SSL certificate from the Certificate dropdown list.
  2. If you have already uploaded an SSL certificate to AWS IAM, select Choose an existing certificate from AWS Identity and Access Management (IAM) and choose the new SSL certificate from the Certificate dropdown list.
  3. If you don't have yet an SSL/TLS certificate uploaded to AWS IAM, select Upload a new SSL certificate to AWS Identity and Access Management (IAM) to deploy the new SSL certificate by entering the required data:  to deploy the new SSL certificate by entering the required datagranted by the SSL provider from which you bought the certificate.

07 Click Save to apply the new SSL certificate and replace the one that is about to expire.

08 Repeat steps no. 4 – 30 for each load balancer that needs renewed SSL/TLS certificates, available in the current region. Change the AWS region from the navigation bar to repeat the process for other regions.

Using AWS CLI

01 Replace the SSL certificates that are about to expire (deployed on your Elastic Load Balancers) with new certificates uploaded to IAM. Run upload-server-certificate command (OSX/Linux/UNIX) to upload the new/renewed SSL certificate to AWS IAM using the certificate files (.pem files) granted by your SSL provider as command parameters:

aws iam upload-server-certificate
	--server-certificate-name MySSLCertificate
	--certificate-body file://my_crt_file.pem
	--private-key file://my_key_file.pem
	--certificate-chain file://my_certificate_chain_file.pem

02 The command output should return the SSL certificate metadata (ID, expiration date, ARN, etc):

{
     "ServerCertificateMetadata": {
         "ServerCertificateId": "ASCAJCJBZJVB2EHHVF5KE",
         "ServerCertificateName": "MySSLCertificate",
         "Expiration": "20130-05-24T23:59:59Z",
         "Path": "/",
         "Arn": "arn:aws:iam::3433668555130:
                 server-certificate/MySSLCertificate",
         "UploadDate": "2016-05-24T11:56:08Z"
     }
}

03 Run set-load-balancer-listener-ssl-certificate command (OSX/Linux/UNIX) using the renewed certificate ARN as command parameter to replace the ELB’s existing SSL certificate with the one uploaded to AWS IAM at the previous step (if successful, the command does not return an output):

aws elb set-load-balancer-listener-ssl-certificate
	--load-balancer-name MyWebELB
	--load-balancer-port 443
	--ssl-certificate-id arn:aws:iam::3433668555130:server-certificate/MySSLCertificate

References

Publication date May 25, 2016