DeleteServerCertificate

​

Event Information

• The DeleteServerCertificate event in AWS for IAM refers to the action of deleting a server certificate from the AWS Identity and Access Management (IAM) service.
• This event indicates that a server certificate, which is used for secure communication between a client and a server, has been removed from the IAM service.
• Deleting a server certificate can impact any resources or services that rely on this certificate for secure communication, and it is important to ensure that any affected resources are updated with a new certificate if necessary.

​

Examples

• Accidental deletion: If a user with sufficient permissions accidentally deletes a server certificate, it can impact the security of the IAM environment. This can lead to disruption of services that rely on the certificate for authentication or encryption.

• Unauthorized deletion: If an attacker gains access to an IAM user or role with permissions to delete server certificates, they can maliciously delete a certificate. This can result in unauthorized access to resources or data that were protected by the certificate.

• Lack of certificate backup: If a server certificate is deleted without a proper backup, it can lead to downtime and potential security risks. Without a backup, it may be challenging to restore the certificate and resume normal operations, impacting the security of the environment.

​

Remediation

​

Using Console

1. Example 1: Enforce strong password policy for IAM users

   • Step 1: Login to the AWS Management Console.
   • Step 2: Go to the IAM service.
   • Step 3: Click on “Account settings” in the left navigation pane.
   • Step 4: Under the “Password policy” section, click on “Edit”.
   • Step 5: Configure the password policy settings according to your requirements, such as minimum password length, password complexity requirements, and password expiration.
   • Step 6: Click on “Apply password policy” to save the changes.

2. Example 2: Enable multi-factor authentication (MFA) for IAM users

   • Step 1: Login to the AWS Management Console.
   • Step 2: Go to the IAM service.
   • Step 3: Click on “Users” in the left navigation pane.
   • Step 4: Select the IAM user for which you want to enable MFA.
   • Step 5: Click on the “Security credentials” tab.
   • Step 6: Under the “Multi-factor authentication (MFA)” section, click on “Manage MFA”.
   • Step 7: Follow the on-screen instructions to set up MFA for the user, either by using a virtual MFA device or a hardware MFA device.

3. Example 3: Enable AWS CloudTrail for logging IAM events

   • Step 1: Login to the AWS Management Console.
   • Step 2: Go to the CloudTrail service.
   • Step 3: Click on “Trails” in the left navigation pane.
   • Step 4: Click on “Create trail”.
   • Step 5: Provide a name for the trail and choose the S3 bucket where the logs will be stored.
   • Step 6: Under the “Management events” section, enable logging for IAM events.
   • Step 7: Configure any additional settings as required and click on “Create trail” to create the CloudTrail trail.

​

Using CLI

1. Ensure IAM users have strong passwords:

   • Use the update-login-profile command to set a strong password for an IAM user:

     aws iam update-login-profile --user-name <IAM_USER_NAME> --password <NEW_PASSWORD> --password-reset-required
     

2. Enable multi-factor authentication (MFA) for IAM users:

   • Use the enable-mfa-device command to enable MFA for an IAM user:

     aws iam enable-mfa-device --user-name <IAM_USER_NAME> --serial-number <MFA_DEVICE_SERIAL_NUMBER> --authentication-code1 <CODE1> --authentication-code2 <CODE2>
     

3. Remove unnecessary IAM access keys:

   • Use the delete-access-key command to delete an IAM access key:

     aws iam delete-access-key --user-name <IAM_USER_NAME> --access-key-id <ACCESS_KEY_ID>
     

​

Using Python

1. Ensure IAM users have strong passwords:
   • Use the boto3 library in Python to retrieve a list of IAM users.
   • For each user, check if their password is strong by validating it against a set of password complexity rules.
   • If a user’s password is weak, use the update_login_profile method to force a password reset for that user.

import boto3
import re

def check_password_complexity(password):
    # Implement your password complexity rules here
    # Example: Password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, and one digit
    if len(password) < 8 or not re.search(r'[A-Z]', password) or not re.search(r'[a-z]', password) or not re.search(r'\d', password):
        return False
    return True

def remediate_weak_passwords():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        login_profile = iam_client.get_login_profile(UserName=user['UserName'])
        if 'LoginProfile' in login_profile:
            password = login_profile['LoginProfile'].get('Password')
            if password and not check_password_complexity(password):
                iam_client.update_login_profile(UserName=user['UserName'], PasswordResetRequired=True)

2. Enable multi-factor authentication (MFA) for IAM users:
   • Use the boto3 library in Python to retrieve a list of IAM users.
   • For each user, check if MFA is enabled by calling the list_mfa_devices method.
   • If MFA is not enabled, use the enable_mfa method to enable it for the user.

import boto3

def remediate_missing_mfa():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        mfa_devices = iam_client.list_mfa_devices(UserName=user['UserName'])['MFADevices']
        if not mfa_devices:
            iam_client.enable_mfa(UserName=user['UserName'])

3. Remove unused IAM access keys:
   • Use the boto3 library in Python to retrieve a list of IAM users.
   • For each user, check if they have any access keys by calling the list_access_keys method.
   • If the user has unused access keys, use the delete_access_key method to remove them.

import boto3

def remediate_unused_access_keys():
    iam_client = boto3.client('iam')
    users = iam_client.list_users()['Users']
    
    for user in users:
        access_keys = iam_client.list_access_keys(UserName=user['UserName'])['AccessKeyMetadata']
        for access_key in access_keys:
            if access_key['Status'] == 'Inactive':
                iam_client.delete_access_key(UserName=user['UserName'], AccessKeyId=access_key['AccessKeyId'])