How to Find Expired AWS IAM Server Certificates
Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website behind the ELB.
info
This security check is part of the CIS Amazon Web Services Benchmarks and is rated severity critical.
Prerequisites​
This guide assumes that you have already installed and configured Fix Inventory to collect your AWS resources.
Directions​
-
Execute the following
searchcommand in Fix Inventory Shell:> search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}}
​kind=aws_iam_server_certificate, ..., region=fixinventory-poweruser
​kind=aws_iam_server_certificate, ..., account=poweruser-team -
Pipe the
searchcommand into thedumpcommand:> search is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}} | dump
​reported:
​ id: /aws/iam/123
​ name: some-name
​ ctime: '2022-12-05T22:53:14Z'
​ kind: aws_iam_server_certificate
​ age: 2mo28dThe command output will list the details of all non-compliant
aws_iam_server_certificateresources.
Remediation​
- Delete the expired certificates.
- Deleting the certificate could have implications for your application if you are using an expired server certificate with Elastic Load Balancing, CloudFront, etc.
- One has to make configurations at respective services to ensure there is no interruption in application functionality.
note
Please refer to the AWS IAM documentation for details.