Expired SSL/TLS certificates should be removed from AWS IAM
Description
To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use AWS Certificate Manager (ACM) or IAM to store and deploy these certificates. Use IAM as a certificate manager only when HTTPS connections are needed in regions not supported by ACM. IAM securely encrypts and stores private keys in its SSL certificate storage, supporting server certificates across all regions. Note that obtaining a certificate must be done through an external provider when using IAM, and ACM certificates cannot be uploaded to IAM. It is also important to note that expired certificates are not deleted automatically by default.
Rationale
Removing expired SSL/TLS certificates is crucial to avoid accidental deployment of invalid certificates to resources like AWS Elastic Load Balancer (ELB), which can harm the application’s credibility. As a best practice, you should delete expired certificates.
For instructions on deleting expired SSL/TLS certificates stored in IAM, refer to AWS CLI Command to Delete Server Certificates.
