Ensure IAM server certificate was not uploaded before the Heartbleed security bug fix

Ensure that SSL/TLS server certificates stored in AWS IAM are not exposed to the Heartbleed security bug (Uploaded before April 8, 2014).

Risk Level: Critical
Cloud Entity: IAM Server Certificate
CloudGuard Rule ID: D9.AWS.CRY.58
Category: Security, Identity, & Compliance

GSL LOGIC

IamServerCertificate should not have uploadDate < 1396915200

REMEDIATION

From Command Line
To list all IAM server certificates, run:

aws iam list-server-certificates

*Ensure no IAM server certificate was uploaded before 'April 8, 2014' (Unix timestamp: 1396915200).
To delete an IAM server certificate, run:

aws iam delete-server-certificate --server-certificate-name CERTIFICATE-NAME

References

  1. https://heartbleed.com/
  2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-server-certificates.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-server-certificate.html

IAM Server Certificate

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use a server certificate provided by AWS Certificate Manager (ACM) or one that you obtained from an external provider. You can use ACM or IAM to store and deploy server certificates.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS Default Ruleset