π‘οΈ AWS ACM Certificate validation has failedπ’
- Contextual name: π‘οΈ Certificate validation has failedπ’
- ID:
/ce/ca/aws/acm/certificate-validity - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ’
Similar Policiesβ
- Cloud Conformity: AWS ACM Certificates Validity
Descriptionβ
Descriptionβ
This policy identifies AWS ACM Certificates that have failed the validation process.
All requests made during the SSL/TLS certificate issuance or renewal process must be successfully validated. These requests are managed within your AWS account by Amazon Certificate Manager, a service that enables you to provision, deploy, and manage SSL/TLS certificates for use with AWS resources such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs hosted on Amazon API Gateway.
Rationaleβ
ACM certificates must be validated using DNS or email-based validation to confirm domain ownership before they can be issued.
If an ACM certificate is not validated within the required timeframe (typically 72 hours from the time the request is created), the validation attempt fails and the certificate request becomes invalid. In such cases, a new SSL/TLS certificate must be requested, which may result in service disruptions or application downtime.
Auditβ
This policy marks an AWS ACM Certificate as
INCOMPLIANTif theStatusfield is set to FAILED or VALIDATION_TIMED_OUT.... see more
Remediationβ
Remediationβ
Re-initiate ACM Certificate Validation (Email Validation)β
For Amazon Certificate Manager (ACM) certificates that have failed or timed out during email-based validation, re-initiate the validation process by resending the domain validation email using the AWS CLI.
Noteβ
The steps below apply only to certificates that use email validation. Certificates that use DNS validation cannot use the email resend operation and require updates to the domainβs DNS configuration instead.
A common reason for DNS-based validation failure is that the required DNS CNAME record generated by ACM was not created or was created incorrectly. To remediate this issue, review the DNS validation (CNAME) instructions provided by ACM and request a new certificate, ensuring the DNS records are correctly configured before validation.
From AWS CLIβ
- Resend the domain validation email for the affected ACM certificate by running the following command. Replace the placeholders with values specific to your environment:
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| πΌ AWS Well-Architected β πΌ SEC09-BP01 Implement secure key and certificate management | 5 | no data | |||
| πΌ Cloudaware Framework β πΌ Cryptographic Configuration | 9 | no data |