Ensure that your SSL/TLS certificates stored in AWS IAM are renewed 30 (thirty) days before their validity period ends.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When SSL/TLS certificates are not renewed prior to their expiration date, these become invalid and the communication between the client and the AWS resource that implements the certificates (e.g. AWS ELB) is no longer secure.
Note: This guide is using the Elastic Load Balancer (ELB) as the AWS resource that implements server certificates managed by IAM and is assuming that the ELBs verified are using valid SSL/TLS certificates for their HTTPS/SSL front-end listeners.
Audit
To determine if the SSL/TLS certificates currently stored in IAM are about to expire in 30 days, you need to perform the following:
Note: Getting the certificates expiration information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates stored in AWS IAM use the Command Line Interface (CLI).Remediation / Resolution
To renew (replace) the SSL/TLS certificates currently deployed on your Elastic Load Balancers, perform the following:
References
- AWS Documentation
- AWS Identity and Access Management FAQs
- Working with Server Certificates
- Managing Your Server Certificates
- Replace the SSL Certificate for Your Load Balancer
- AWS Command Line Interface (CLI) Documentation
- list-server-certificates
- upload-server-certificate
- elb
- set-load-balancer-listener-ssl-certificate