Ensure that all the expired SSL/TLS certificates are removed from ACM
Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other Amazon services such as Elastic Load Balancing and CloudFront.
Risk Level: Low
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.40
Category: Security, Identity, & Compliance
GSL LOGIC
AcmCertificate should not have status = 'EXPIRED'
REMEDIATION
From Portal
- Sign in to the AWS Management Console.
- Navigate to AWS ACM dashboard at https://console.aws.amazon.com/acm/.
- Select the SSL/TLS certificate that you want to remove with the status as Expired
- Click on the expired certificate and review the certificate details (domain name and ID).
- Click Delete to confirm the action.
- Repeat step number 3 and 4 to remove other expired AWS ACM certificates available within the selected region.
- Change the AWS region from the navigation bar and repeat the process for other regions.
From Command Line
Use the delete-certificate command to delete an expired certificate, as shown in the following command:
aws acm delete-certificate --certificate-arn ARN
References
- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html
AWS Certificate Manager
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
Updated over 1 year ago