ACM has soon to be expired certificates

ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. Check the ACM for soon to be expired certificates. Certificates that will be expired in less than a month, certificates whose the notAfter time has passed but still in status ISSUED

Risk Level: Informational
Cloud Entity: AWS Certificate Manager
CloudGuard Rule ID: D9.AWS.CRY.54
Covered by Spectral: No
Category: Security, Identity, & Compliance

GSL LOGIC

AcmCertificate should have status like 'ISSUED' and notAfter after(30, 'days')

REMEDIATION

From Portal
ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you are using DNS validation) or it will send you email notices when expiration is approaching. These services are provided for both public and private ACM certificates.

Use following steps to renew the expiring certificates.

  1. Login into your AWS account
  2. Navigate to the ACM service at: https://console.aws.amazon.com/acm
  3. Select the certificate that is expiring soon.
  4. Click the Actions button from the dashboard top menu and select Reimport certificate option from the dropdown menu and do the follow actions:
    a. For Certificate body, paste the PEM-encoded certificate to import, purchased from your SSL certificate provider.
    b. For Certificate private key
    , paste the PEM-encoded, un-encrypted private key that matches the SSL/TLS certificate public key.
    c. For Certificate chain, paste the PEM-encoded certificate chain delivered with the certificate body specified at step a.
    d. Click Review and import button to continue the process.
  5. On the Review and import page, review the imported certificate details then click Import to confirm the action and complete the renewal process.

From Command Line
Run following command to import and renew the selected AWS ACM certificate (use the certificate ARN that you want to renew).

aws acm import-certificate --certificate-arn imported_certificate_ARN --certificate file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

References

  1. https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html
  2. https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting.html
  3. https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html
  4. https://docs.aws.amazon.com/acm/latest/userguide/manual-renewal.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm/import-certificate.html

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ITSG-33
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset