List server certificates with their expiration dates via list-server-certificates. Confirm an expired certificate isn't still referenced by any load balancer or CloudFront distribution. Delete it with delete-server-certificate. Issue and manage new certificates through ACM so the IAM store stops accumulating expired entries.

Compliance Medium severity

AWS Security Hub · IAM

IAM.26: Expired IAM-managed SSL/TLS certs should be removed

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub IAM.26 check?

IAM.26 fails when an expired SSL/TLS certificate is still stored in the IAM certificate store (AWS::IAM::ServerCertificate). IAM never removes certificates on its own, so they linger past expiry until you delete them.

Why does IAM.26 matter?

An expired certificate left in IAM is a deployment footgun rather than a cost line: attach it to a load balancer or distribution and clients hit handshake failures or fall back insecurely. Clearing expired entries removes the chance of accidentally serving a dead certificate and tidies the audit surface.

How do I fix IAM.26?

List server certificates with their expiration dates via list-server-certificates.
Confirm an expired certificate isn't still referenced by any load balancer or CloudFront distribution.
Delete it with delete-server-certificate.
Issue and manage new certificates through ACM so the IAM store stops accumulating expired entries.

Remediation script · bash

# Alarm on DaysToExpiry per certificate so a stalled renewal pages someone, not the root inbox.
aws cloudwatch put-metric-alarm \
  --alarm-name acm-imported-api-example-com-expiry \
  --namespace AWS/CertificateManager \
  --metric-name DaysToExpiry \
  --dimensions Name=CertificateArn,Value=arn:aws:acm:us-east-1:123456789012:certificate/9f3a2b14 \
  --statistic Minimum --period 86400 --evaluation-periods 1 \
  --threshold 45 --comparison-operator LessThanOrEqualToThreshold \
  --alarm-actions arn:aws:sns:us-east-1:123456789012:pagerduty-platform

# Clear expired leftovers from the IAM store after confirming nothing references them.
NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
for name in $(aws iam list-server-certificates \
  --query "ServerCertificateMetadataList[?Expiration<'$NOW'].ServerCertificateName" \
  --output text); do
  # confirm not referenced by any ELB listener or CloudFront distribution first
  aws iam delete-server-certificate --server-certificate-name "$name"
  echo "deleted expired IAM certificate: $name"
done

Full walkthrough (console steps, edge cases and verification) in the lesson Manage and renew TLS certificates.

Is IAM.26 a false positive?

IAM's certificate store is only the right home when you need HTTPS in a Region ACM doesn't support — everywhere else ACM is the answer, and the finding recurs until you migrate.

Full lesson Manage and renew TLS certificates Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for IAM controls ↗ Check your own account for IAM.26 →

Part of the learning path Encrypt everything

IAM.1 A policy grants full "*" administrative privileges
IAM.2 Policies attached directly to users do not scale or audit cleanly
IAM.3 Long-lived access keys have not been rotated
IAM.4 The root user still has long-lived access keys
IAM.5 Console users without MFA are one phish from compromise
IAM.6 The root user is not protected by hardware MFA
IAM.7 The IAM password policy is too weak
IAM.8 Unused IAM keys and passwords are waiting to be leaked
IAM.9 The root user can sign in without MFA
IAM.10 IAM user password policies should be strong (PCI DSS)
IAM.19 MFA should be enabled for all IAM users
IAM.21 Wildcard permissions grant far more access than intended