🛡️ AWS ACM Certificate expires in the next 7 days🟢

• Contextual name: 🛡️ Certificate expires in the next 7 days🟢
• ID: /ce/ca/aws/acm/certificate-expires-in-7-days
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS ACM Certificate
  • 🔌 AWS ACM Certificate - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• AWS Security Hub: [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period
• Cloud Conformity: AWS ACM Certificates Renewal (7 days before expiration)
• Internal: dec-x-b24d2338

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-b24d2338	1

Description

Open File

Description

Renew your SSL/TLS certificates in AWS ACM that are ineligible for automatic renewal at least 7 days before their expiration date. This proactive approach is essential for maintaining the security and reliability of applications and services that rely on these certificates.

Rationale

Timely renewal of SSL/TLS certificates prevents service disruptions that can occur due to expired certificates, ensuring continuous protection for your data and communications. By regularly updating your certificates, you ensure that your applications use the latest and most secure encryption standards. Additionally, maintaining a robust certificate management policy can aid in compliance with industry regulations that require the use of strong, up-to-date encryption methods.

Audit

This policy flags an AWS ACM Certificate as INCOMPLIANT when the Status field is set to ISSUED, the Renewal Eligibility field is INELIGIBLE, and the certificate is set to expire within the next 7 days, as indicated by the Not After field.

... see more

Remediation

Open File

Remediation

From Command Line

Perform one of the following commands to renew the expiring certificate:

• Request a new managed private certificate.
• Reimport a new externally obtained certificate.
• Issue a client certificate using a private CA.

Request a new private certificate

aws acm request-certificate \
--domain-name {{www.example.com}} \
--idempotency-token {{12563}} \
--certificate-authority-arn {{certificateAuthorityArn}}

Note: If you do not provide a {{certificateAuthorityArn}} and you are trying to request a private certificate, ACM will attempt to issue a public certificate.

Reimport a new certificate

aws acm import-certificate \
--certificate-arn {{certificateArn}} \
--certificate file://{{importedCertificate}} \
--private-key file://{{privateKey}} \
--certificate-chain file://{{certificateChain}}

Replace {{certificateArn}}, {{importedCertificate}}, {{privateKey}}, and {{certificateChain}} with the respective ARN value and file paths of your imported certificate, private key, and certificate chain files.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ACM.1] Imported and ACM-issued certificates should be renewed after a specified time period		1	1		no data
💼 Cloudaware Framework → 💼 Expiration Management			15		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			37		no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-28(3) Protection of Information at Rest _ Cryptographic Keys			2		no data
💼 PCI DSS v3.2.1 → 💼 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.	1	8	28		no data
💼 PCI DSS v4.0.1 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2		28		no data
💼 PCI DSS v4.0 → 💼 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.	2	9	28		no data