Ensure AWS Certificate Manager (ACM) certificates are renewed 7 days before expiration date

MEDIUM

Description

AWS Certificate Manager can automatically renew most SSL/TLS certificates. For certificates that may not be configured for automatic renewal, renewing them within a timely fashion will ensure that TLS communication remains secured. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html

Remediation

In AWS Console -

  1. Sign in to AWS console.
  2. Go to the AWS ACM Dashboard.
  3. Select the SSL/TLS certificate that you want to examine and click on the Show/Hide Details button.
  4. In the Details section check the 'Expires In' value.

In Terraform -

  1. In the aws_acmpca_certificate_authority resource, set the revocation_configuration.crl_configuration attribute 'expiration_in_days' to 7.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority#expiration_in_days

Policy Details

Rule Reference ID: AC_AWS_0003
CSP: AWS
Remediation Available: Yes
Resource Category: Management

Frameworks