AWS ACM Certificates Renewal Under 30 Days

More Info:

Ensure that your SSL/TLS certificates managed by AWS ACM are renewed 30 days before their validity period ends. Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other AWS resources such as Elastic Load Balancers, CloudFront distributions or APIs on Amazon API Gateway.

Risk Level

Medium

Address

Security

Compliance Standards

NIST

Triage and Remediation

Cause
Remediation

Check Cause

Using Console

Log in to the AWS Management Console and navigate to the API Gateway service.
In the API Gateway dashboard, select the APIs that you want to examine.
In the API details page, select the “Stages” option from the left navigation panel.
In the Stages section, check the “Client Certificate for Endpoint Verification” field. If the certificate is set to expire in less than 30 days, it indicates a misconfiguration.

Using CLI

First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the ACM and API Gateway services.
Once the AWS CLI is set up, you can list all the ACM Certificates using the following command:

aws acm list-certificates --region your-region

This command will return a list of Certificate ARNs.

Now, for each Certificate ARN, you can describe the certificate to get its details including the expiration date. Use the following command:

aws acm describe-certificate --certificate-arn your-certificate-arn --region your-region

This command will return the certificate details in JSON format. Look for the ‘NotAfter’ field in the ‘Certificate’ object. This field contains the expiration date of the certificate.

Now, you can write a script to compare the current date with the ‘NotAfter’ date. If the difference is less than 30 days, then the certificate is due for renewal in less than 30 days. Here is a simple Python script to do this:

import datetime
import json
import subprocess

# Get the current date
current_date = datetime.datetime.now()

# List all the ACM Certificates
command = 'aws acm list-certificates --region your-region'
process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
output, error = process.communicate()

# Parse the output to get the Certificate ARNs
certificates = json.loads(output)['CertificateSummaryList']
for certificate in certificates:
    certificate_arn = certificate['CertificateArn']

    # Describe the certificate to get its details
    command = 'aws acm describe-certificate --certificate-arn ' + certificate_arn + ' --region your-region'
    process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
    output, error = process.communicate()

    # Parse the output to get the 'NotAfter' date
    not_after = json.loads(output)['Certificate']['NotAfter']

    # Compare the current date with the 'NotAfter' date
    if (not_after - current_date).days < 30:
        print('Certificate ' + certificate_arn + ' is due for renewal in less than 30 days.')

This script will print the ARNs of all the ACM Certificates that are due for renewal in less than 30 days.

Using Python

Setup AWS SDK (Boto3) in Python Environment: First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip:
```
pip install boto3
```
Then, configure your AWS credentials either by setting up environment variables or by using AWS CLI.

List all ACM Certificates: Use the list_certificates method from the boto3 client for ACM to get all the certificates. Here is a sample script:

import boto3
import datetime

# Create ACM client
acm = boto3.client('acm')

# List all certificates
response = acm.list_certificates()

for certificate in response['CertificateSummaryList']:
    certificate_arn = certificate['CertificateArn']

Get Certificate Details: For each certificate, get the details using the describe_certificate method. This will give you the certificate’s expiry date.
```
certificate_detail = acm.describe_certificate(CertificateArn=certificate_arn)
expiry_date = certificate_detail['Certificate']['NotAfter']
```
Check if Certificate is Expiring in Less Than 30 Days: Compare the expiry date with the current date. If the difference is less than 30 days, then the certificate is due for renewal.
```
current_date = datetime.datetime.now(expiry_date.tzinfo)
days_to_expiry = (expiry_date - current_date).days

if days_to_expiry < 30:
    print(f"Certificate {certificate_arn} is due for renewal in {days_to_expiry} days.")
```
This script will print out the ARN of all certificates that are due for renewal in less than 30 days.

Remediation

Using Console

Sure, here are the step by step instructions to remediate the misconfiguration of AWS ACM Certificates Renewal Under 30 Days:

Login to your AWS console.
Go to the AWS Certificate Manager service.
Select the certificate that needs to be renewed.
Click on the “Renew” button.
In the “Renewal Settings” page, select the validity period for the renewed certificate. Ensure that the validity period is greater than 30 days.
Click on the “Next” button.
Review the details of the renewed certificate and confirm that they are correct.
Click on the “Renew” button.

Once the certificate is renewed, you will need to update the certificate on your website or application to ensure that it is using the renewed certificate.By following these steps, you will have successfully remediated the misconfiguration of AWS ACM Certificates Renewal Under 30 Days.

Using CLI

The following are the step-by-step instructions to remediate the AWS ACM Certificates Renewal Under 30 Days misconfiguration using AWS CLI:

Open the AWS CLI on your local machine.
Run the following command to list all the certificates that are expiring in the next 30 days:
```
aws acm list-certificates --query "CertificateSummaryList[?NotAfter<=\`$(date -v+30d +%Y-%m-%dT%H:%M:%SZ)\`]" --output table
```
This command will display a list of all the certificates that are expiring in the next 30 days.
Identify the certificate that needs to be renewed and note down its ARN.
Run the following command to request a new certificate:
```
aws acm request-certificate --domain-name <domain-name> --validation-method DNS --subject-alternative-names <domain-name1> <domain-name2> --idempotency-token <idempotency-token>
```
Replace <domain-name> with the domain name for which you want to request a certificate. If you want to add additional domain names, specify them using the --subject-alternative-names option. The --validation-method option specifies the validation method for the certificate. In this case, we are using DNS validation.
After requesting the certificate, you need to validate it. Run the following command to get the CNAME record that you need to add to your DNS configuration:
```
aws acm describe-certificate --certificate-arn <certificate-arn> --query "Certificate.DomainValidationOptions[0].ResourceRecord" --output text
```
Replace <certificate-arn> with the ARN of the certificate that you requested in step 4.
Add the CNAME record to your DNS configuration.
Run the following command to wait until the certificate is issued:
```
aws acm wait certificate-validated --certificate-arn <certificate-arn>
```
Replace <certificate-arn> with the ARN of the certificate that you requested in step 4.
After the certificate is issued, you can update your application to use the new certificate.

Using Python

To remediate the AWS ACM Certificates Renewal Under 30 Days misconfiguration using Python, you can follow these steps:

Install the AWS SDK for Python (boto3) using pip:

pip install boto3

Create an AWS IAM user with the necessary permissions to access and manage ACM certificates. The user should have the following IAM policies attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ACMPermissions",
            "Effect": "Allow",
            "Action": [
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:RenewCertificate"
            ],
            "Resource": "*"
        }
    ]
}

Configure the AWS credentials in your local environment. You can do this by exporting the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables or by using the AWS CLI configure command.

import boto3
import datetime

# Create a client for ACM
acm_client = boto3.client('acm')

# Get a list of all certificates
certificates = acm_client.list_certificates()

# Loop through the certificates and check their expiration dates
for cert in certificates['CertificateSummaryList']:
    cert_arn = cert['CertificateArn']
    cert_info = acm_client.describe_certificate(CertificateArn=cert_arn)
    cert_expiration = cert_info['Certificate']['NotAfter']
    days_until_expiration = (cert_expiration - datetime.datetime.now(datetime.timezone.utc)).days

    # Renew the certificate if it expires in less than 30 days
    if days_until_expiration < 30:
        acm_client.renew_certificate(CertificateArn=cert_arn)

This Python code will check for all ACM certificates in your AWS account and renew any certificates that expire in less than 30 days. You can run this code on a regular basis (e.g., using a cron job) to ensure that your certificates are always up to date.

Additional Reading:

https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html

Documentation Index

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Check Cause

​Remediation

​

​Additional Reading: