IAM server certificates should not be expired
Description
This control checks whether an active SSL/TLS server certificate that is managed in IAM has expired. The control fails if the expired SSL/TLS server certificate isn't removed. To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use IAM or AWS Certificate Manager (ACM) to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in an AWS Region that isn't supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all Regions, but you must obtain your certificate from an external provider for use with AWS. You can't upload an ACM certificate to IAM. Additionally, you can't manage your certificates from the IAM console. Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate is deployed accidentally to a resource, which can damage the credibility of the underlying application or website.
Remediation
To remediate expired IAM server certificates, you need to remove expired SSL/TLS certificates from IAM.
Steps
- Navigate to the AWS IAM console
- Go to 'Certificates' in the left navigation
- Review all server certificates
- Identify expired certificates
- Remove expired certificates from IAM
- Update applications to use valid certificates
- Consider migrating to AWS Certificate Manager (ACM)
- Set up certificate expiration monitoring
- Document certificate removal for audit purposes
- Implement automated certificate lifecycle management