MEDIUM IAM · CIS 1.19

Expired SSL/TLS certificates

Check ID: aws-iam-013

AWS-IAM-013 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks for expired SSL/TLS certificates stored in IAM. Expired certificates should be removed to avoid accidental use and potential service disruptions.

Why it matters

Expired SSL/TLS certificates in IAM can cause service outages if they are still referenced by load balancers, CloudFront distributions, or API Gateway endpoints. When a certificate expires, clients receive security warnings or connection failures, which erodes user trust and can trigger compliance violations. More critically, expired certificates in IAM indicate poor certificate lifecycle management, which often correlates with weak key management practices across the organization. IAM-stored certificates are a legacy pattern (ACM is now the recommended approach), so their presence often indicates technical debt from years-old deployments that are not actively maintained. Removing expired certificates also reduces the risk of an administrator accidentally assigning an expired certificate to a new resource.

Common causes

IAM certificates were the only option before AWS Certificate Manager (ACM) launched in 2016, so legacy deployments still have certificates in IAM. Certificate renewal reminders are easy to miss when managed manually outside of ACM's auto-renewal. Teams that migrated to ACM for active certificates may forget to clean up the expired IAM certificates that are no longer in use.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws iam delete-server-certificate --server-certificate-name CERT_NAME

Remediation: Terraform

# Use ACM instead of IAM certificates:
resource "aws_acm_certificate" "cert" {
  domain_name       = "example.com"
  validation_method  = "DNS"
}

Compliance mapping

This check maps to CIS 1.19 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks