Profile Applicability:
- Level 1
Description:
This control ensures that all AWS Certificate Manager (ACM) certificates — whether issued by AWS or imported — are actively monitored for expiration within a specific number of days (e.g., 30 days or less). Certificates nearing expiration can cause service interruptions, broken HTTPS connections, and compliance violations. Establishing alerts before expiry helps ensure timely renewal or replacement.
Rationale:
Monitoring certificate expiration dates is essential to maintaining secure, uninterrupted encrypted connections (HTTPS, TLS). Expired certificates can lead to:
Application downtime and broken integrations.
Customer trust issues due to SSL/TLS validation errors.
Non-compliance with security frameworks (CIS, SOC 2, ISO 27001, PCI-DSS).
Implementing monitoring and alerts for certificates nearing expiration helps ensure proactive management and uninterrupted service availability.
Impact:
- Positive Impact:Prevents accidental certificate expiration and downtime.Improves compliance and operational continuity.Ensures encrypted communications remain secure and trusted.
- Negative Impact:Minimal administrative effort to review and renew certificates before expiry.
Default Value:
By default, AWS ACM automatically renews ACM-managed certificates (issued by Amazon) 60 days before expiry if domain validation remains valid.
However, imported certificates must be manually renewed before expiration — ACM does not auto-renew these.
Pre-Requisite:
IAM permissions required:
acm:ListCertificatesacm:DescribeCertificate
AWS CLI installed or access to AWS Management Console.
Optional: Amazon SNS topic or AWS Lambda function for automated alerts.
Remediation
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Certificate Manager (ACM).
Review the Expiration date column.
Identify certificates expiring in the next N days (e.g., 30 days or less).
For ACM-managed certificates, confirm that automatic renewal is active.
For imported certificates, verify that renewal is planned before expiry.
Implementation Plan
Using AWS Console:
Navigate to ACM → Certificates.
Sort or filter the list by Expiration date.
Identify certificates expiring within the next 30 days.
For certificates issued by ACM:
Confirm domain validation records (CNAME or DNS validation) are still valid for auto-renewal.
For imported certificates:
Re-import a renewed certificate or request a new one before expiration.
Optionally, configure a CloudWatch metric filter or Lambda script to monitor certificate expiration and send alerts via SNS or email.
Backout Plan
Using AWS Console:
If a certificate is mistakenly replaced or renewed, revert to the previous version by restoring the old certificate (if still valid) using ACM → Import certificate.