Expired SSL/TLS certificates should be removed from AWS IAM

iam
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use AWS Certificate Manager (ACM) or IAM to store and deploy these certificates. Use IAM as a certificate manager only when HTTPS connections are needed in regions not supported by ACM. IAM securely encrypts and stores private keys in its SSL certificate storage, supporting server certificates across all regions. Note that obtaining a certificate must be done through an external provider when using IAM, and ACM certificates cannot be uploaded to IAM. It is also important to note that expired certificates are not deleted automatically by default.

Rationale

Removing expired SSL/TLS certificates is crucial to avoid accidental deployment of invalid certificates to resources like AWS Elastic Load Balancer (ELB), which can harm the application’s credibility. As a best practice, you should delete expired certificates.

Remediation

For instructions on deleting expired SSL/TLS certificates stored in IAM, refer to AWS CLI Command to Delete Server Certificates.