IAM Server Certificate Is Not Expired

Overview

This check identifies expired TLS/SSL server certificates stored in AWS IAM. Server certificates are used by services like Elastic Load Balancing and CloudFront to establish secure HTTPS connections. Keeping expired certificates in your account creates security and operational risks.

Risk

Expired server certificates can cause serious problems:

Service outages: Systems may automatically select an expired certificate, causing HTTPS connections to fail
Browser warnings: Users will see security warnings that erode trust in your application
Security bypass: Users trained to click through warnings may ignore legitimate security alerts
Poor hygiene: Stale certificates clutter your account and make certificate management harder

This is a high severity finding because expired certificates can directly cause availability issues and weaken your security posture.

Remediation Steps

Prerequisites

AWS account access with IAM permissions to manage server certificates
Know which certificate(s) are expired (Prowler output will show this)

AWS Console Method

Unfortunately, AWS does not support deleting server certificates through the AWS Console. You must use the AWS CLI or an infrastructure-as-code tool.

Before deleting, ensure the certificate is not actively in use by Elastic Load Balancing, CloudFront, or other services.

AWS CLI (required for this remediation)

Step 1: List all server certificates to confirm which are expired

aws iam list-server-certificates --region us-east-1

This returns a list showing each certificate's name and expiration date:

{
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateName": "my-old-cert",
            "Expiration": "2023-06-15T00:00:00Z"
        }
    ]
}

Step 2: Verify the certificate is not in use

Before deleting, check that no load balancers or CloudFront distributions are using this certificate. If a certificate is still attached to a resource, remove it from that resource first.

Step 3: Delete the expired certificate

aws iam delete-server-certificate \
    --server-certificate-name <your-certificate-name> \
    --region us-east-1

Replace <your-certificate-name> with the actual certificate name from Step 1.

Warning: If you delete a certificate that is still attached to an Elastic Load Balancer, the load balancer will stop accepting HTTPS traffic. Always verify the certificate is unused first.

The command produces no output on success.

CloudFormation (optional)

CloudFormation does not have a direct resource for managing IAM server certificates. To prevent this issue going forward, consider migrating to AWS Certificate Manager (ACM), which provides automatic renewal.

If you previously uploaded certificates via CloudFormation using AWS::IAM::ServerCertificate, simply remove that resource from your template and update the stack.

Best Practice: Use AWS::CertificateManager::Certificate instead:

AWSTemplateFormatVersion: '2010-09-09'
Description: Use ACM for automatic certificate renewal

Resources:
  MyCertificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: example.com
      ValidationMethod: DNS
      Tags:
        - Key: Environment
          Value: Production

ACM certificates automatically renew before expiration, eliminating this check failure entirely.

Terraform (optional)

To delete an expired IAM server certificate managed by Terraform, remove the aws_iam_server_certificate resource from your configuration and run terraform apply.

Migrating to ACM (Recommended)

Replace IAM server certificates with ACM for automatic renewal:

resource "aws_acm_certificate" "main" {
  domain_name       = "example.com"
  validation_method = "DNS"

  tags = {
    Environment = "Production"
  }

  lifecycle {
    create_before_destroy = true
  }
}

# DNS validation record (if using Route 53)
resource "aws_route53_record" "cert_validation" {
  for_each = {
    for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  allow_overwrite = true
  name            = each.value.name
  records         = [each.value.record]
  ttl             = 60
  type            = each.value.type
  zone_id         = var.route53_zone_id
}

resource "aws_acm_certificate_validation" "main" {
  certificate_arn         = aws_acm_certificate.main.arn
  validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}

Verification

After deleting the expired certificate, confirm it no longer appears:

Run Prowler again to verify the check passes
Or list certificates via CLI to confirm removal:

aws iam list-server-certificates --region us-east-1

The deleted certificate should no longer appear in the output.

Additional Resources

AWS IAM Server Certificates Documentation
AWS Certificate Manager (ACM) - Recommended alternative with automatic renewal
Migrating from IAM Certificates to ACM

Notes

Prefer ACM over IAM certificates: AWS Certificate Manager provides automatic renewal, eliminating expiration issues. Consider migrating existing IAM certificates to ACM.
Certificate lifecycle management: Implement monitoring and alerting for certificate expiration dates to catch issues before they cause outages.
Check dependencies first: Always verify a certificate is not in use before deleting. Deleting an active certificate will cause immediate service disruption.
IAM certificates are global: Unlike most AWS resources, IAM server certificates are global and not region-specific.

Overview​

Risk​

Remediation Steps​

Prerequisites​

AWS Console Method​

Verification​

Additional Resources​

Notes​