Ensure invalid or failed certificates are removed from ACM

Checks the ACM for Invalid or Failed certificates. An Invalid certificate is one that has not been validated within 72 hours. A certificate fails for these reasons: - the certificate is requested for invalid public domains. - the certificate is requested for domains which are not allowed or missing contact information - typographical errors. These certificates cannot be used, and you will have to request new ones. It is recommended to delete Failed or Invalid certificates.

Risk Level: Low
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.29
Covered by Spectral: No
Category: Security, Identity, & Compliance


AcmCertificate should not have status='FAILED' or status='VALIDATION_TIMED_OUT'


From Portal
Following are the steps to delete unused certificates:

  1. Open the ACM console at https://console.aws.amazon.com/acm/.
  2. In the list of certificates, select the check box for an ACM certificate, then choose Delete.

Alternatively, you can associate/use the unused certificate to the resource which requires the certificate.

From Command Line
Use the delete-certificate command to delete a certificate, as shown in the following command:

aws acm delete-certificate --certificate-arn ARN


  1. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset