ACM should not have certificates that are expired or expiring in the next 30 days

Provider: AwsService: ACMSeverity: High

Description

Expired certificates can break applications and reduce customer trust. Furthermore, manually accepting expired certificates as valid can mask other security risks which can lead to phishing, MITM and other identity spoofing attacks.

Suggested Action

Renew existing certificate or provision a new certificate.

Remediation Steps

  1. Note: There are two options to deal with certificate expiration, Option 1: Delete the existing certificate and request a new one. Option 2: Re-import certificate to renew already imported certificate (this can be done if the user imports a certificate either from another account or third party)

  2. Go to the AWS Certificate Manager page.
  3. Option 1:
    1. Select Request a Certificate.
    2. On Request public certificate, enter Domain names and Validation Method.
    3. Click Request.
  4. Option 2: Re-import & Manage Expiry Events
    1. Select the certificate to be re-imported.
    2. Select Import Ceritficate.
    3. Click Import.
    4. Select Manage Expiry Events.
    5. Enter a value greater than 30.
    6. Select Save.

Compliance Controls

FrameworkControl #Control description
PCI DSS4.1 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following: • Only trusted keys and certificates are accepted. • The protocol in use only supports secure versions or configurations. • The encryption strength is appropriate for the encryption methodology in use. Examples of open, public networks include but are not limited to: • The Internet • Wireless technologies, including 802.11 and Bluetooth • Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) • General Packet Radio Service (GPRS) • Satellite communications
US HIPAA 164308.a.7.ii.bEstablish (and implement as needed) procedures to restore any loss of data.
ISO IEC 27001A.12.5.1Procedures shall be implemented to control the installation of software on operational systems.
AICPA SOC 2cc6.1The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives.
NIST SP 800-53SC-23(5)Only allow the use of [Assignment: organization-defined certificate authorities] for verification of the establishment of protected sessions.
NIST SP 800-53IA-5(14)For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.
NIST SP 800-53CM-14Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
EU GDPRArticle-321. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
CSA CCMTVM-04Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.
ISO IEC 27001A.12.6.2Rules governing the installation of software by users shall be established and implemented.
PCI DSS4.2.1Strong cryptography and security protocols are implemented as follows to safeguard PAN during transmission over open, public networks: Only trusted keys and certificates are accepted. Certificates used to safeguard PAN during transmission over open, public networks are confirmed as valid and are not expired or revoked. This bullet is a best practice until its effective date; refer to applicability notes below for details. The protocol in use supports only secure versions or configurations and does not support fallback to, or use of insecure versions, algorithms, key sizes, or implementations. The encryption strength is appropriate for the encryption methodology in use.
CSA CCMTVM-02Policies and procedures shall be established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components (e.g., network vulnerability assessment, penetration testing) to ensure the efficiency of implemented security controls. A risk-based model for prioritizing remediation of identified vulnerabilities shall be used. Changes shall be managed through a change management process for all vendor-supplied patches, configuration changes, or changes to the organization's internally developed software. Upon request, the provider informs customer (tenant) of policies and procedures and identified weaknesses especially if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control.
NIST SP 800-53SC-17a. Issue public key certificates under an [Assignment: organization-defined certificate policy] or obtain public key certificates from an approved service provider; and b. Include only approved trust anchors in trust stores or certificate stores managed by the organization.
CSA CCMTVM-01Policies and procedures shall be established, and supporting business processes and technical measures implemented, to prevent the execution of malware on organizationally-owned or managed user end-point devices (i.e., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.

References

Check out this link for more information about renewing Amazon-issued certificates.