Skip to main content

How to Find Expired AWS IAM Server Certificates

Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB.


This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.


This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.


  1. Execute the following search command in Fix Inventory Shell:

    > search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}}
    ​kind=aws_iam_server_certificate, ..., region=fixinventory-poweruser
    ​kind=aws_iam_server_certificate, ..., account=poweruser-team
  2. Pipe the search command into the dump command:

    > search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}} | dump
    ​ id: /aws/iam/123
    ​ name: some-name
    ​ ctime: '2022-12-05T22:53:14Z'
    ​ kind: aws_iam_server_certificate
    ​ age: 2mo28d

    The command output will list the details of all non-compliant aws_iam_server_certificate resources.


  • Delete the expired certificates.
  • Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc.
  • One has to make configurations at respective services to ensure there is no interruption in application functionality.

Please refer to the AWS IAM documentation for details.

Further Reading