Skip to main content

lacework-global-92

Ensure no server certificate has been uploaded before Heartbleed vulnerability

Description

We recommend that none of the SSL sever certificates used in an AWS IAM account have the Heartbleed vulnerability. The Heartbleed vulnerability exists in SSL certificates issued before April 7, 2014.

Remediation

Use the AWS CLI to locate AWS IAM server certificates uploaded before April 7, 2014.

  1. Find IAM server certificates in AWS account.

    aws iam list-server-certificates

    {

      "ServerCertificateMetadataList": [

        {

          "Path": “/”,

          "ServerCertificateName": "myCert",

          "ServerCertificateld": "A2B3D235A34",

          "Arn": "arn:aws:iam:: 683948394830:server-certificate/myCert",

          "UploadDate": "2014-03-16T18:57:21Z",

          "Expiration": "2020-12-15T18:54:25Z"

        }

      ]

    }

  2. For each certificate listed, verify that the upload date is April 7, 2014 or later. Replace any certificates uploaded before April 7, 2014.