Ensure that your SSL/TLS certificates stored in AWS IAM are renewed 7 (seven) days before their validity period ends.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When SSL/TLS certificates are not renewed prior to their expiration date, these become invalid and the communication between the client and the AWS resource that implements the certificates (e.g. AWS ELB) is no longer secure.
Note: This guide is using the Elastic Load Balancer (ELB) as the AWS resource that implements server certificates managed by IAM and is assuming that the ELBs verified are using valid SSL/TLS certificates for their HTTPS/SSL front-end listeners.
To determine if the SSL/TLS certificates currently stored in IAM are about to expire in 7 days, you need to perform the following:Note: Getting the certificates expiration information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates stored in AWS IAM use the Command Line Interface (CLI).
Remediation / Resolution
To renew (replace) the SSL/TLS certificates currently deployed on your Elastic Load Balancers, perform the following:
- AWS Documentation
- AWS Identity and Access Management FAQs
- Working with Server Certificates
- Managing Your Server Certificates
- Replace the SSL Certificate for Your Load Balancer
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
SSL/TLS Certificate Expiry 7 Days
Risk level: High