Amazon ACM

2.1: Ensure that All the Expired SSL/TLS Certificates Stored in AWS IAM are Removed

๐Ÿ“˜ Removing expired SSL/TLS certificates from AWS IAM is crucial to maintain security and prevent potential vulnerabilities. Expired certificates can lead to denial of service and other security issues, emphasizing the need for regular certificate management and updates.

  • Section: SSL / TLS
  • Severity: High
  • CWE: CWE-16 Misconfiguration
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: Denial of Service
  • Rule Set: Rapticore Benchmark

2.2: All the Requests Made During SSL/TLS Certificate Issue or Renewal Process are Validated

๐Ÿ“˜ Validating all requests during the SSL/TLS certificate issuance or renewal process is vital for security. This step ensures the authenticity and integrity of the certificates, safeguarding against misuse and potential security breaches.

  • Section: SSL / TLS
  • Severity: High
  • CWE: CWE-16 Misconfiguration
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: Denial of Service
  • Rule Set: Rapticore Benchmark

2.3: Ensure that Your SSL/TLS Certificates Managed by AWS ACM are Renewed 7 Days Before Their Validity Period Ends

๐Ÿ“˜ Proactively renewing SSL/TLS certificates managed by AWS ACM before their expiration enhances security and prevents service interruptions. Timely renewal, ideally 7 days before expiration, is crucial for continuous protection and trust.

  • Section: SSL / TLS
  • Severity: High
  • CWE: CWE-298 Improper Validation of Certificate Expiration
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: Information Disclosure, Tampering
  • Rule Set: Rapticore Benchmark

2.4: Ensure that Your SSL/TLS Certificates Managed by AWS ACM are Renewed 30 Days Before Their Validity Period Ends

๐Ÿ“˜ Renewing SSL/TLS certificates managed by AWS ACM 30 days before expiry is a best practice for maintaining secure communications. This early renewal helps to avoid potential risks associated with expired certificates, ensuring continuous security and trust.

  • Section: SSL / TLS
  • Severity: High
  • CWE: CWE-298 Improper Validation of Certificate Expiration
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: Information Disclosure, Tampering
  • Rule Set: Rapticore Benchmark

2.5: Ensure that ACM Single Domain Name Certificates are Used Instead of Wildcard Certificates Within Your AWS Account

๐Ÿ“˜ Using ACM single domain name certificates instead of wildcard certificates in AWS accounts is a security measure to reduce risks. This practice ensures tighter control and reduces the potential impact of a compromised certificate.

  • Section: SSL / TLS
  • Severity: High
  • CWE: CWE-16 Misconfiguration
  • Assurance Scope: PCI, NIST
  • Threat Modeling Principal: Information Disclosure, Tampering
  • Rule Set: Rapticore Benchmark

Updated 5 months ago

Whatโ€™s Next