SSL/TLS certificates expire in one month
Ensure that SSL/TLS certificates stored in AWS IAM are renewed one month before expiry.
Risk Level: Low
Cloud Entity: IAM Server Certificate
CloudGuard Rule ID: D9.AWS.CRY.09
Category: Security, Identity, & Compliance
GSL LOGIC
IamServerCertificate should not have expiration before(30, 'days')
REMEDIATION
From Portal
- Login to the AWS Management Console.
- Navigate to EC2 dashboard
- Go to Load Balancing and click Load Balancers.
- Select the Elastic Load Balancer for which certificate is expiring in one month.
- Select the Listeners tab and click the Change link in the SSL Certificate column.
- In the Select Certificate dialog box, perform the following actions:
a. If you have already deployed a certificate with AWS Certificate Manager (ACM), select Choose an existing certificate from AWS Certificate Manager (ACM) and choose the new SSL certificate from the Certificate dropdown list.
b. If you have already uploaded an SSL certificate to AWS IAM, select Choose an existing certificate from AWS Identity and Access Management (IAM) and choose the new SSL certificate from the Certificate dropdown list.
c. If you have not yet uploaded an SSL/TLS certificate to AWS IAM, select Upload a new SSL certificate to AWS IAM to deploy the new SSL certificate by entering the required data provided by the SSL certificate provider. - Click Save to apply the new SSL certificate and replace the one that is about to expire.
Note: You can perform the same steps for all load balancer that needs SSL/TLS certificates renewal.
From Command Line
Run below Command to replace the SSL certificates that are about to expire with new certificates uploaded to IAM.
aws iam upload-server-certificate --server-certificate-name EXAMPLE_CERTIFICATE --certificate-body file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem
Run below command to replace the ELB existing SSL certificate with the newly one uploaded to AWS IAM through upload command in previous step.
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name EXAMPLE_NAME --load-balancer-port 443 --ssl-certificate-id EXAMPLE_CERTIFICATE_ID
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
- https://aws.amazon.com/certificate-manager/
IAM Server Certificate
To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use a server certificate provided by AWS Certificate Manager (ACM) or one that you obtained from an external provider. You can use ACM or IAM to store and deploy server certificates.
Compliance Frameworks
- AWS CSA CCM v.3.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard CheckUp
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
Updated over 1 year ago