> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS ACM Certificates Renewal Under 30 Days

### More Info:

Ensure that your SSL/TLS certificates managed by AWS ACM are renewed 30 days before their validity period ends. Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other AWS resources such as Elastic Load Balancers, CloudFront distributions or APIs on Amazon API Gateway.

### Risk Level

Medium

### Address

Security

### Compliance Standards

NIST

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Log in to the AWS Management Console and navigate to the API Gateway service.
        2. In the API Gateway dashboard, select the APIs that you want to examine.
        3. In the API details page, select the "Stages" option from the left navigation panel.
        4. In the Stages section, check the "Client Certificate for Endpoint Verification" field. If the certificate is set to expire in less than 30 days, it indicates a misconfiguration.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the ACM and API Gateway services.

        2. Once the AWS CLI is set up, you can list all the ACM Certificates using the following command:

        ```
        aws acm list-certificates --region your-region
        ```

        This command will return a list of Certificate ARNs.

        3. Now, for each Certificate ARN, you can describe the certificate to get its details including the expiration date. Use the following command:

        ```
        aws acm describe-certificate --certificate-arn your-certificate-arn --region your-region
        ```

        This command will return the certificate details in JSON format. Look for the 'NotAfter' field in the 'Certificate' object. This field contains the expiration date of the certificate.

        4. Now, you can write a script to compare the current date with the 'NotAfter' date. If the difference is less than 30 days, then the certificate is due for renewal in less than 30 days. Here is a simple Python script to do this:

        ```python theme={null}
        import datetime
        import json
        import subprocess

        # Get the current date
        current_date = datetime.datetime.now()

        # List all the ACM Certificates
        command = 'aws acm list-certificates --region your-region'
        process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
        output, error = process.communicate()

        # Parse the output to get the Certificate ARNs
        certificates = json.loads(output)['CertificateSummaryList']
        for certificate in certificates:
            certificate_arn = certificate['CertificateArn']

            # Describe the certificate to get its details
            command = 'aws acm describe-certificate --certificate-arn ' + certificate_arn + ' --region your-region'
            process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
            output, error = process.communicate()

            # Parse the output to get the 'NotAfter' date
            not_after = json.loads(output)['Certificate']['NotAfter']

            # Compare the current date with the 'NotAfter' date
            if (not_after - current_date).days < 30:
                print('Certificate ' + certificate_arn + ' is due for renewal in less than 30 days.')
        ```

        This script will print the ARNs of all the ACM Certificates that are due for renewal in less than 30 days.
      </Accordion>

      <Accordion title="Using Python">
        1. **Setup AWS SDK (Boto3) in Python Environment:**
           First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip:
           ```
           pip install boto3
           ```
           Then, configure your AWS credentials either by setting up environment variables or by using AWS CLI.

        2. **List all ACM Certificates:**
           Use the `list_certificates` method from the `boto3` client for ACM to get all the certificates. Here is a sample script:
           ```python theme={null}
           import boto3
           import datetime

           # Create ACM client
           acm = boto3.client('acm')

           # List all certificates
           response = acm.list_certificates()

           for certificate in response['CertificateSummaryList']:
               certificate_arn = certificate['CertificateArn']
           ```

        3. **Get Certificate Details:**
           For each certificate, get the details using the `describe_certificate` method. This will give you the certificate's expiry date.
           ```python theme={null}
           certificate_detail = acm.describe_certificate(CertificateArn=certificate_arn)
           expiry_date = certificate_detail['Certificate']['NotAfter']
           ```

        4. **Check if Certificate is Expiring in Less Than 30 Days:**
           Compare the expiry date with the current date. If the difference is less than 30 days, then the certificate is due for renewal.
           ```python theme={null}
           current_date = datetime.datetime.now(expiry_date.tzinfo)
           days_to_expiry = (expiry_date - current_date).days

           if days_to_expiry < 30:
               print(f"Certificate {certificate_arn} is due for renewal in {days_to_expiry} days.")
           ```
           This script will print out the ARN of all certificates that are due for renewal in less than 30 days.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step by step instructions to remediate the misconfiguration of AWS ACM Certificates Renewal Under 30 Days:

        1. Login to your AWS console.
        2. Go to the AWS Certificate Manager service.
        3. Select the certificate that needs to be renewed.
        4. Click on the "Renew" button.
        5. In the "Renewal Settings" page, select the validity period for the renewed certificate. Ensure that the validity period is greater than 30 days.
        6. Click on the "Next" button.
        7. Review the details of the renewed certificate and confirm that they are correct.
        8. Click on the "Renew" button.

        Once the certificate is renewed, you will need to update the certificate on your website or application to ensure that it is using the renewed certificate.

        By following these steps, you will have successfully remediated the misconfiguration of AWS ACM Certificates Renewal Under 30 Days.

        #
      </Accordion>

      <Accordion title="Using CLI">
        The following are the step-by-step instructions to remediate the AWS ACM Certificates Renewal Under 30 Days misconfiguration using AWS CLI:

        1. Open the AWS CLI on your local machine.

        2. Run the following command to list all the certificates that are expiring in the next 30 days:

           ```
           aws acm list-certificates --query "CertificateSummaryList[?NotAfter<=\`$(date -v+30d +%Y-%m-%dT%H:%M:%SZ)\`]" --output table
           ```

           This command will display a list of all the certificates that are expiring in the next 30 days.

        3. Identify the certificate that needs to be renewed and note down its ARN.

        4. Run the following command to request a new certificate:

           ```
           aws acm request-certificate --domain-name <domain-name> --validation-method DNS --subject-alternative-names <domain-name1> <domain-name2> --idempotency-token <idempotency-token>
           ```

           Replace `<domain-name>` with the domain name for which you want to request a certificate. If you want to add additional domain names, specify them using the `--subject-alternative-names` option. The `--validation-method` option specifies the validation method for the certificate. In this case, we are using DNS validation.

        5. After requesting the certificate, you need to validate it. Run the following command to get the CNAME record that you need to add to your DNS configuration:

           ```
           aws acm describe-certificate --certificate-arn <certificate-arn> --query "Certificate.DomainValidationOptions[0].ResourceRecord" --output text
           ```

           Replace `<certificate-arn>` with the ARN of the certificate that you requested in step 4.

        6. Add the CNAME record to your DNS configuration.

        7. Run the following command to wait until the certificate is issued:

           ```
           aws acm wait certificate-validated --certificate-arn <certificate-arn>
           ```

           Replace `<certificate-arn>` with the ARN of the certificate that you requested in step 4.

        8. After the certificate is issued, you can update your application to use the new certificate.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the AWS ACM Certificates Renewal Under 30 Days misconfiguration using Python, you can follow these steps:

        1. Install the AWS SDK for Python (boto3) using pip:

        ```python theme={null}
        pip install boto3
        ```

        2. Create an AWS IAM user with the necessary permissions to access and manage ACM certificates. The user should have the following IAM policies attached:

        ```json theme={null}
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "ACMPermissions",
                    "Effect": "Allow",
                    "Action": [
                        "acm:ListCertificates",
                        "acm:DescribeCertificate",
                        "acm:RenewCertificate"
                    ],
                    "Resource": "*"
                }
            ]
        }
        ```

        3. Configure the AWS credentials in your local environment. You can do this by exporting the AWS\_ACCESS\_KEY\_ID and AWS\_SECRET\_ACCESS\_KEY environment variables or by using the AWS CLI configure command.

        ```python theme={null}
        import boto3
        import datetime

        # Create a client for ACM
        acm_client = boto3.client('acm')

        # Get a list of all certificates
        certificates = acm_client.list_certificates()

        # Loop through the certificates and check their expiration dates
        for cert in certificates['CertificateSummaryList']:
            cert_arn = cert['CertificateArn']
            cert_info = acm_client.describe_certificate(CertificateArn=cert_arn)
            cert_expiration = cert_info['Certificate']['NotAfter']
            days_until_expiration = (cert_expiration - datetime.datetime.now(datetime.timezone.utc)).days

            # Renew the certificate if it expires in less than 30 days
            if days_until_expiration < 30:
                acm_client.renew_certificate(CertificateArn=cert_arn)
        ```

        This Python code will check for all ACM certificates in your AWS account and renew any certificates that expire in less than 30 days. You can run this code on a regular basis (e.g., using a cron job) to ensure that your certificates are always up to date.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html](https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html)
