Ensure that your SSL/TLS certificates stored in AWS IAM are renewed 7 (seven) days before their validity period ends.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When SSL/TLS certificates are not renewed prior to their expiration date, these become invalid and the communication between the client and the AWS resource that implements the certificates (e.g. AWS ELB) is no longer secure.
Note: This guide is using the Elastic Load Balancer (ELB) as the AWS resource that implements server certificates managed by IAM and is assuming that the ELBs verified are using valid SSL/TLS certificates for their HTTPS/SSL front-end listeners.
Audit
To determine if the SSL/TLS certificates currently stored in IAM are about to expire in 7 days, you need to perform the following:
Note: Getting the certificates expiration information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates stored in AWS IAM use the Command Line Interface (CLI).Remediation / Resolution
To renew (replace) the SSL/TLS certificates currently deployed on your Elastic Load Balancers, perform the following:
References
- AWS Documentation
- AWS Identity and Access Management FAQs
- Working with Server Certificates
- Managing Your Server Certificates
- Replace the SSL Certificate for Your Load Balancer
- AWS Command Line Interface (CLI) Documentation
- list-server-certificates
- upload-server-certificate
- elb
- set-load-balancer-listener-ssl-certificate
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
SSL/TLS Certificate Expiry 7 Days
Risk Level: High