📝 AWS ACM Certificate expires in the next 7 days 🟢

• Contextual name: 📝 Certificate expires in the next 7 days 🟢
• ID: /ce/ca/aws/acm/certificate-expires-in-7-days
• Located in: 📁 AWS ACM

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY
  • RELIABILITY

Similar Policies

• Internal
  • dec-x-b24d2338

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b24d2338	1

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 AWS ACM Certificate
  • 🔌 AWS ACM Certificate - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Renew your SSL/TLS certificates in AWS ACM that are ineligible for automatic renewal at least 7 days before their expiration date. This proactive approach is essential for maintaining the security and reliability of your applications and services that rely on these certificates.

Rationale

Timely renewal of SSL/TLS certificates prevents service disruptions that can occur due to expired certificates, ensuring continuous protection for your data and communications. By regularly updating your certificates, you ensure that your applications use the latest and most secure encryption standards. Additionally, maintaining a robust certificate management policy can aid in compliance with industry regulations that require the use of strong, up-to-date encryption methods.

Audit

This policy marks a certificate as INCOMPLIANT when the following conditions are met: the Status field is set to ISSUED, the Renewal Eligibility is INELIGIBLE, and the certificate is set to expire within the next 7 days, as indicated by the Not After field.

... see more

Remediation

Open File

Remediation

From Command Line

Perform one of the following commands to renew the expiring certificate:

• request a new managed private certificate
• reimport a new externally obtained certificate
• issue a client certificate using private CA:

Request a new private certificate

aws acm request-certificate \
--domain-name {{www.example.com}} \
--idempotency-token {{12563}} \
--certificate-authority-arn {{certificateAuthorityArn}}

Note: If you do not provide a {{certificateAuthorityArn}} and you are trying to request a private certificate, ACM will attempt to issue a public certificate.

Reimport a new certificate

aws acm import-certificate \
--certificate-arn {{certificateArn}} \
--certificate file://{{importedCertificate}} \
--private-key file://{{privateKey}} \
--certificate-chain file://{{certificateChain}}

Replace {{certificateArn}}, {{importedCertificate}}, {{privateKey}}, and {{certificateChain}} with the respective ARN value and file paths of your imported certificate, private key, and certificate chain files.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period		1	1
💼 Cloudaware Framework → 💼 Expiration Management			12
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			16
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(3) Protection of Information at Rest _ Cryptographic Keys			1
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	6	9
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		9
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		9