How to Find Expired AWS IAM Server Certificates
Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB.
info
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.
Prerequisites
This guide assumes that you have already installed and configured Resoto to collect your AWS resources.
Directions
Execute the following
search
command in Resoto Shell or Resoto UI:> search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}}
kind=aws_iam_server_certificate, ..., region=resoto-poweruser
kind=aws_iam_server_certificate, ..., account=poweruser-teamPipe the
search
command into thedump
command:> search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}} | dump
reported:
id: /aws/iam/123
name: some-name
ctime: '2022-12-05T22:53:14Z'
kind: aws_iam_server_certificate
age: 2mo28dThe command output will list the details of all non-compliant
aws_iam_server_certificate
resources.
Remediation
- Delete the expired certificates.
- Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc.
- One has to make configurations at respective services to ensure there is no interruption in application functionality.
note
Please refer to the AWS IAM documentation for details.