IAM server certificate is not expired
iam_no_expired_server_certificates_stored
IAM server certificates stored in AWS IAM are evaluated for expiration by comparing their validity period to the current time. Certificates with a NotAfter date in the past are identified as expired.
Risk
Retaining expired TLS certificates risks availability loss from failed handshakes and browser warnings, eroding trust.
If attached to endpoints, users may bypass warnings, weakening confidentiality and integrity. Stale certs also hinder secure rotation and may be picked by automation, causing outages.
prowler aws --checks iam_no_expired_server_certificates_stored
Recommendation
Remove expired certificates from IAM and ensure endpoints use current, trusted TLS.
Prefer AWS Certificate Manager for issuance and auto-renewal, enforce lifecycle management with inventory, tagging, and alerts, and apply least privilege to certificate access with standardized rotation policies.
Remediation
aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>
- Deleting IAM server certificates is not supported in the AWS Management Console.
- Use the CLI to remove the expired certificate: aws iam delete-server-certificate --server-certificate-name <CERTIFICATE_NAME>
Source Code
Resource Type
AwsCertificateManagerCertificate