Skip to main content

How to Find Expired AWS IAM Server Certificates

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB.

info

This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.

Prerequisites​

This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.

Directions​

  1. Execute the following search command in Fix Inventory Shell:

    > search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}}
    ​kind=aws_iam_server_certificate, ..., region=fixinventory-poweruser
    ​kind=aws_iam_server_certificate, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}} | dump
    ​reported:
    ​ id: /aws/iam/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_iam_server_certificate
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_iam_server_certificate resources.

Remediation​

  • Delete the expired certificates.
  • Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc.
  • One has to make configurations at respective services to ensure there is no interruption in application functionality.
note

Please refer to the AWS IAM documentation for details.

Further Reading​