AWS Certificate Manager
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. AWS Certificate Manager

      Upcoming ACM Certificates Expiry

      This plugin is crucial in the identification of ACM (AWS Certificate Manager) certificates that may expire in the near future.

      Risk Level: MEDIUM

      Description: 

      This plugin is crucial in the identification of ACM (AWS Certificate Manager) certificates that may expire in the near future. On top of it, ACM provides with the managed renewal of expired SSL or TLS certificates under which:

      • ACM renews certificates directly provided the user is using DNS validation.
      • ACM sends email notices for the certificates that are nearing expiration

      PingSafe strongly recommends ensuring that AWS is able to renew the certificate via email or DNS validation of the domain.

      Configuration Parameter

      Certificate Expiry Alerting Window: This parameter identifies the certificate’s expiry date. An alert is generated when the expiration date approaches. This helps to monitor the “days to expiry” of the certificates.

      By default, the value of this parameter is set to 30 days.

      About the Service :

      AWS Certificate Manager or ACM is an invaluable service that is aimed at simplifying and automating many of the conventional activities connected with SSL/TLS certification like creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect AWS websites and applications. This service is designed for companies who require a secure web presence using TLS.

      Impact : 

      In the absence of the detection of ACM Certificates expiration, the certificates will expire and we won’t be able to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. Moreover, secure network communications cannot be established in the absence of the same.

      Steps to reproduce :

      1. Login to your AWS console.
      2. Navigate to the AWS ACM dashboard.
      3. In this tab, we can view the status of the Certificate that’s nearing its expiration. The status tab shows us the status of a certificate, whether it’s expired or nearing its expiration or is valid or not.
      4. We can clearly see the status of our certificate shows pending validation. Under the same heading, we could see the expiration date of the certificates if there were any.

      Steps for remediation :

      1. Login to your AWS console.
      2. Navigate to the AWS ACM dashboard.
      3. We could check for the status of certificates that were nearing expiration and delete them if they were expired or AWS will attempt to automatically renew the certificate but may be unable to do so if email or DNS validation cannot be confirmed.
      4. To delete the certificate we will click on the Actions button from the dashboard top menu and select the Delete option from the dropdown menu.
      5. After deleting the certificate if there are no certificates we’ll come back to the Create ACM home page.

      References: