Expired SSL/TLS certificates should be removed from AWS IAM

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use AWS Certificate Manager (ACM) or IAM to store and deploy these certificates. Use IAM as a certificate manager only when HTTPS connections are needed in regions not supported by ACM. IAM securely encrypts and stores private keys in its SSL certificate storage, supporting server certificates across all regions. Note that obtaining a certificate must be done through an external provider when using IAM, and ACM certificates cannot be uploaded to IAM. It is also important to note that expired certificates are not deleted automatically by default.

Rationale

Removing expired SSL/TLS certificates is crucial to avoid accidental deployment of invalid certificates to resources like AWS Elastic Load Balancer (ELB), which can harm the application’s credibility. As a best practice, you should delete expired certificates.

Remediation

For instructions on deleting expired SSL/TLS certificates stored in IAM, refer to AWS CLI Command to Delete Server Certificates.