Ensure that all the expired SSL/TLS certificates are removed from ACM

Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other Amazon services such as Elastic Load Balancing and CloudFront.

Risk Level: Low
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.40
Covered by Spectral: No
Category: Security, Identity, & Compliance


AcmCertificate should not have status = 'EXPIRED'


From Portal

  1. Sign in to the AWS Management Console.
  2. Navigate to AWS ACM dashboard at https://console.aws.amazon.com/acm/.
  3. Select the SSL/TLS certificate that you want to remove with the status as Expired
  4. Click on the expired certificate and review the certificate details (domain name and ID).
  5. Click Delete to confirm the action.
  6. Repeat step number 3 and 4 to remove other expired AWS ACM certificates available within the selected region.
  7. Change the AWS region from the navigation bar and repeat the process for other regions.

From Command Line
Use the delete-certificate command to delete an expired certificate, as shown in the following command:

aws acm delete-certificate --certificate-arn ARN


  1. https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/delete-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset