github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/remove_expired_certificates.go (about) 1 package iam 2 3 import ( 4 "time" 5 6 "github.com/khulnasoft-lab/defsec/pkg/framework" 7 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 10 "github.com/khulnasoft-lab/defsec/pkg/state" 11 12 "github.com/khulnasoft-lab/defsec/pkg/scan" 13 14 "github.com/khulnasoft-lab/defsec/internal/rules" 15 16 "github.com/khulnasoft-lab/defsec/pkg/providers" 17 ) 18 19 var CheckRemoveExpiredCertificates = rules.Register( 20 scan.Rule{ 21 AVDID: "AVD-AWS-0168", 22 Provider: providers.AWSProvider, 23 Frameworks: map[framework.Framework][]string{ 24 framework.CIS_AWS_1_4: {"1.19"}, 25 }, 26 Service: "iam", 27 ShortCode: "remove-expired-certificates", 28 Summary: "Delete expired TLS certificates", 29 Impact: "Risk of misconfiguration and damage to credibility", 30 Resolution: "Remove expired certificates", 31 Explanation: ` 32 Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be 33 deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can 34 damage the credibility of the application/website behind the ELB. As a best practice, it is 35 recommended to delete expired certificates. 36 `, 37 Links: []string{ 38 "https://console.aws.amazon.com/iam/", 39 }, 40 Severity: severity.Low, 41 }, 42 func(s *state.State) (results scan.Results) { 43 for _, certificate := range s.AWS.IAM.ServerCertificates { 44 if certificate.Expiration.Before(time.Now()) { 45 results.Add("Certificate has expired.", &certificate) 46 } else { 47 results.AddPassed(&certificate) 48 } 49 } 50 return 51 }, 52 )