ACM Certificate Expired

More Info:

Ensure that all the expired Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates managed by AWS Certificate Manager are removed in order to adhere to Amazon Security Best Practices. Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other Amazon services such as Elastic Load Balancing and CloudFront.

Risk Level

High

Address

Security

Compliance Standards

NIST

Triage and Remediation

Cause
Remediation

Check Cause

Using Console

Log in to the AWS Management Console and open the API Gateway console at https://console.aws.amazon.com/apigateway/.
In the navigation pane, choose ‘APIs’.
In the APIs pane, choose the API you want to check.
In the API details pane, choose ‘Custom Domain Names’. This will display a list of custom domain names associated with the API.
For each custom domain name, check the ‘ACM Certificate’ column. If the certificate is expired, the status will be ‘Expired’.

Using CLI

Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands:
```
pip install awscli
aws configure
```
You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
List all API Gateways: Use the following command to list all the API Gateways in your AWS account:
```
aws apigateway get-rest-apis
```
This command will return a list of all the REST APIs in your account.
Get the details of each API: For each API in the list, use the following command to get its details:
```
aws apigateway get-rest-api --rest-api-id {rest-api-id}
```
Replace {rest-api-id} with the ID of the API you want to check. This command will return the details of the specified API, including its name, ID, and description.
Check the ACM Certificate: In the details of each API, look for the clientCertificateId field. This field contains the ID of the ACM Certificate associated with the API. Use the following command to get the details of the certificate:
```
aws acm describe-certificate --certificate-arn {certificate-arn}
```
Replace {certificate-arn} with the ARN of the certificate you want to check. This command will return the details of the certificate, including its status and expiration date. If the status is EXPIRED, then the certificate has expired.

Using Python

Install the necessary Python libraries: To interact with AWS services, you need to install the AWS SDK for Python (Boto3). You can install it using pip:
```
pip install boto3
```
Configure AWS Credentials: Before you can begin using Boto3, you need to set up authentication credentials for your AWS account using either the AWS CLI or by creating a credentials file manually. The credentials should have permissions to access the ACM and API Gateway services.

Create a Python script to list all the API Gateways and their associated ACM certificates:

import boto3

def get_api_gateways():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()
    return response['items']

def get_certificate_arn(api):
    client = boto3.client('apigateway')
    response = client.get_domain_names()
    for domain in response['items']:
        if domain['domainName'] == api['name']:
            return domain['certificateArn']
    return None

apis = get_api_gateways()
for api in apis:
    certificate_arn = get_certificate_arn(api)
    if certificate_arn:
        print(f"API: {api['name']}, Certificate ARN: {certificate_arn}")

Create a Python script to check the expiration date of the ACM certificates:

import boto3
from datetime import datetime

def get_certificate_expiration_date(certificate_arn):
    client = boto3.client('acm')
    response = client.describe_certificate(
        CertificateArn=certificate_arn
    )
    return response['Certificate']['NotAfter']

certificate_arns = [...]  # List of certificate ARNs obtained from the previous script
for arn in certificate_arns:
    expiration_date = get_certificate_expiration_date(arn)
    if expiration_date < datetime.now():
        print(f"Certificate with ARN {arn} has expired.")

This script will print out the ARN of all the ACM certificates associated with API Gateways that have expired.

Remediation

Using Console

To remediate an ACM certificate that has expired in AWS using the AWS console, follow these steps:

Go to the AWS Management Console and navigate to the Amazon Certificate Manager (ACM) service.
In the ACM dashboard, select the expired certificate that you want to remediate.
Click on the “Actions” button and then select “Renew Certificate”.
Follow the prompts to create a new certificate. You can either request a new certificate or import an existing one.
Once the new certificate is issued, update your application or website to use the new certificate.
Verify that the new certificate is installed correctly and that your application or website is functioning properly.
Finally, delete the expired certificate from the ACM dashboard to avoid confusion.

By following these steps, you can easily remediate an expired ACM certificate in AWS.

Using CLI

To remediate an expired ACM certificate in AWS using AWS CLI, follow these steps:

Identify the expired ACM certificate by running the following command:

aws acm list-certificates --certificate-statuses EXPIRED

Note down the ARN of the expired certificate.
Request a new ACM certificate by running the following command:

aws acm request-certificate --domain-name example.com --validation-method DNS

Note: Replace “example.com” with your domain name.

Update the DNS record for the domain to complete the validation process. This step may vary depending on your DNS provider.
Once the new ACM certificate is issued and validated, update the SSL/TLS certificate for your AWS resources, such as Elastic Load Balancers or CloudFront distributions, to use the new certificate.
Finally, delete the expired ACM certificate by running the following command:

aws acm delete-certificate --certificate-arn arn:aws:acm:region:account:certificate/certificate-id

Note: Replace “region”, “account”, and “certificate-id” with the appropriate values for your expired certificate ARN.

Using Python

To remediate the ACM certificate expired misconfiguration in AWS using Python, you can follow the below steps:

Import the necessary Python libraries:

import boto3
import datetime

Create a boto3 client for ACM:

acm_client = boto3.client('acm')

Get a list of all the certificates in your account:

certificates = acm_client.list_certificates()['CertificateSummaryList']

Loop through the certificates and check if any of them have expired:

for cert in certificates:
    cert_arn = cert['CertificateArn']
    cert_details = acm_client.describe_certificate(CertificateArn=cert_arn)
    cert_expiration = cert_details['Certificate']['NotAfter']
    if cert_expiration < datetime.datetime.now(datetime.timezone.utc):
        # Certificate has expired, take remediation action

To remediate the expired certificate, you can either renew the certificate or delete it and create a new one. To renew the certificate, you can use the renew_certificate method:

acm_client.renew_certificate(CertificateArn=cert_arn)

Alternatively, to delete the expired certificate and create a new one, you can use the delete_certificate and request_certificate methods:

acm_client.delete_certificate(CertificateArn=cert_arn)
new_cert = acm_client.request_certificate(
    DomainName='example.com',
    ValidationMethod='DNS',
    SubjectAlternativeNames=[
        'www.example.com',
        'api.example.com',
    ]
)

Note: Replace example.com with your own domain name and add any additional subject alternative names as needed.

Once you have taken the appropriate remediation action, you can log the action and move on to the next certificate in the loop.

print(f'Remediated expired certificate {cert_arn}')

Additional Reading:

https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html

Documentation Index

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Remediation

​

​Additional Reading: