Expired SSL/TLS Certificates Stored in AWS IAM Are Removed
Description:
Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates are employed to encrypt data between the client and server, providing a secure communication channel. Over time, these certificates expire and are no longer valid. Storing expired certificates in AWS Identity and Access Management (IAM) can lead to potential confusion, misconfiguration, or unintentional use. To maintain a clean and secure environment, it's essential to periodically review and remove expired SSL/TLS certificates from IAM.
Remediation:
1. Identify and Remove Expired Certificates:
AWS Management Console:
- Navigate to the IAM service in the AWS Console.
- In the IAM dashboard's left navigation pane, click on Identity Providers.
- Review the list of certificates, and inspect the Expiration column for each.
- If you identify an expired certificate, select it.
- Click on the Delete button to remove the expired certificate.
AWS CLI:
To list the server certificates:
aws iam list-server-certificates
Review the list and note down the ARN or ServerCertificateName of any expired certificates.
To delete an expired certificate:
aws iam delete-server-certificate --server-certificate-name YOUR_SERVER_CERTIFICATE_NAME
Replace YOUR_SERVER_CERTIFICATE_NAME
with the appropriate value.
Terraform:
If you're managing AWS resources using Terraform, you might have aws_iam_server_certificate
resources defined:
resource "aws_iam_server_certificate" "example" {
# ... other configurations ...
}
To remove expired certificates:
- Delete or comment out the
aws_iam_server_certificate
resource block corresponding to the expired certificate. - Run
terraform plan
to verify the changes. - Apply the changes using
terraform apply
.
Recommendation:
Set up a routine to periodically review and validate the SSL/TLS certificates stored in IAM. Employ tools or scripts to automate the process of checking certificate expiration dates. Ensure that only valid and necessary certificates are stored, and immediately remove any expired ones to reduce clutter and potential security risks. It's also recommended to set up monitoring and alerting mechanisms to notify administrators about upcoming certificate expirations, allowing timely renewal and avoiding service disruptions.
Updated about 1 year ago