AWS
Google CloudOverview
SSL/TLS server certificate is required to enable HTTPS connections to your website or application.
AWS
In AWS, you can store SSL certificates in the AWS Certificate Manager and IAM. It is recommended to use AWS ACM for certificate management in regions that support AWS ACM, and IAM in the regions that are not supported. ACM is the preferred service.
Google Cloud
Google Cloud offers two methods to configure SSL certificates for HTTP(S) and SSL proxy load balancers. Both methods support self-managed and Google-managed SSL certificates: Compute Engine SSL certificate resource and Certificate Manager.
Remediation guidance
AWS
ACM will either renew your certificates automatically (if you are using DNS validation), or it will send you email notifications when expiration is approaching.
To renew your certificate SSL certificate manually:
- Navigate to the EC2 Console
- Under
Load Balancing, selectLoad Balancers - Select the load balancer you want to renew the certificate for and, on the
Listenerstab, chooseManage listeners - On the
Manage listenerspage, locate the listener to be updated, chooseEditunderDefault SSL certand select it from ACM or IAM.
Google Cloud
Google-managed SSL certificates are renewed automatically, but you have to manually review any self-managed SSL certificates. To renew a self-managed SSL certificate, upload your new certificate and update the target proxy so that its list of SSL certificates includes the new SSL certificate in the first position to make it the primary certificate. After the new certificate, include any existing SSL certificates that you want to retain. If you have only one certificate, you need to firstly configure a new SSL certificate.
References
-
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html
-
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html
-
https://cloud.google.com/load-balancing/docs/ssl-certificates#config-tech
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
AWS
Use AWS Organizations guardrails, AWS Config rules or conformance packs where they fit, approved account baselines, and IaC modules so new resources inherit the secure setting.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
SSL Certificates Expire in 14 Days
Connectors
Covered asset types
Expected check: eq []
{
ExpiringSSLCertificates(days: 14) {
...AssetFragment
}
}
