> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS ACM Certificates Renewal Under 7 Days

### More Info:

Ensure that your SSL/TLS certificates managed by AWS ACM are renewed 7 days before their validity period ends. Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other AWS resources such as Elastic Load Balancers, CloudFront distributions or APIs on Amazon API Gateway.

### Risk Level

High

### Address

Security

### Compliance Standards

NIST

### Triage and Remediation

<Tabs>
  <Tab title="Cause">
    ### Check Cause

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        1. Log in to the AWS Management Console and navigate to the API Gateway service.
        2. In the API Gateway dashboard, select the APIs that you want to examine.
        3. In the API details page, select the "Stages" option from the left-hand navigation panel.
        4. In the Stages section, check the "Client Certificate for Endpoint Verification" field. If the certificate is due to expire in less than 7 days, it is a misconfiguration.
      </Accordion>

      <Accordion title="Using CLI">
        1. First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the ACM and API Gateway services.

        2. Once the AWS CLI is set up, you can list all the ACM Certificates using the following command:
           ```
           aws acm list-certificates --region your-region
           ```
           Replace 'your-region' with the region where your ACM Certificates are located. This command will return a list of Certificate ARNs.

        3. For each Certificate ARN, you can describe the certificate to get its details, including the renewal status. Use the following command:
           ```
           aws acm describe-certificate --certificate-arn your-certificate-arn --region your-region
           ```
           Replace 'your-certificate-arn' with the ARN of the certificate you want to check, and 'your-region' with the region where the certificate is located. Look for the 'RenewalSummary' field in the output. If the 'RenewalStatus' is 'PENDING\_VALIDATION', it means the certificate is due for renewal.

        4. To check if the certificate is used in API Gateway, list all the Rest APIs in API Gateway using the following command:
           ```
           aws apigateway get-rest-apis --region your-region
           ```
           For each Rest API, get its details using the following command:
           ```
           aws apigateway get-rest-api --rest-api-id your-rest-api-id --region your-region
           ```
           Replace 'your-rest-api-id' with the ID of the Rest API you want to check, and 'your-region' with the region where the Rest API is located. If the 'endpointConfiguration' field contains the ARN of the certificate, it means the certificate is used in the Rest API.
      </Accordion>

      <Accordion title="Using Python">
        1. Install and configure AWS SDK for Python (Boto3):
           You need to install Boto3 in your local environment. You can install it using pip:
           ```
           pip install boto3
           ```
           After installing Boto3, you need to configure it. You can configure it using AWS CLI:
           ```
           aws configure
           ```
           It will ask for your AWS Access Key ID, Secret Access Key, Default region name, and Default output format. You can get these details from your AWS account.

        2. Use Boto3 to list all the ACM Certificates:
           You can use the `list_certificates` method of ACM client in Boto3 to list all the ACM Certificates. Here is a sample script:
           ```python theme={null}
           import boto3

           # Create ACM client
           acm = boto3.client('acm')

           # List certificates with the pagination interface
           paginator = acm.get_paginator('list_certificates')
           for response in paginator.paginate():
               for certificate in response['CertificateSummaryList']:
                   print(certificate)
           ```
           This script will print all the ACM Certificates in your AWS account.

        3. Check the renewal status of each certificate:
           You can use the `describe_certificate` method of ACM client in Boto3 to get the details of each certificate. Here is a sample script:
           ```python theme={null}
           import boto3
           from datetime import datetime, timedelta

           # Create ACM client
           acm = boto3.client('acm')

           # List certificates with the pagination interface
           paginator = acm.get_paginator('list_certificates')
           for response in paginator.paginate():
               for certificate in response['CertificateSummaryList']:
                   # Describe the specified certificate
                   response = acm.describe_certificate(
                       CertificateArn=certificate['CertificateArn']
                   )
                   # Get the renewal eligibility
                   renewal_eligibility = response['Certificate']['RenewalEligibility']
                   # Get the not_after date
                   not_after = response['Certificate']['NotAfter']
                   # Check if the certificate is eligible for renewal and will expire in less than 7 days
                   if renewal_eligibility == 'ELIGIBLE' and not_after < datetime.now() + timedelta(days=7):
                       print(f"Certificate {certificate['CertificateArn']} is eligible for renewal and will expire in less than 7 days.")
           ```
           This script will print all the ACM Certificates in your AWS account that are eligible for renewal and will expire in less than 7 days.

        4. Handle the exceptions:
           You should handle the exceptions in your script to make it robust. For example, you can handle the `NoCredentialsError` exception if the AWS credentials are not configured properly. Here is a sample script:
           ```python theme={null}
           import boto3
           from botocore.exceptions import NoCredentialsError
           from datetime import datetime, timedelta

           try:
               # Create ACM client
               acm = boto3.client('acm')

               # List certificates with the pagination interface
               paginator = acm.get_paginator('list_certificates')
               for response in paginator.paginate():
                   for certificate in response['CertificateSummaryList']:
                       # Describe the specified certificate
                       response = acm.describe_certificate(
                           CertificateArn=certificate['CertificateArn']
                       )
                       # Get the renewal eligibility
                       renewal_eligibility = response['Certificate']['RenewalEligibility']
                       # Get the not_after date
                       not_after = response['Certificate']['NotAfter']
                       # Check if the certificate is eligible for renewal and will expire in less than 7 days
                       if renewal_eligibility == 'ELIGIBLE' and not_after < datetime.now() + timedelta(days=7):
                           print(f"Certificate {certificate['CertificateArn']} is eligible for renewal and will expire in less than 7 days.")
           except NoCredentialsError:
               print("AWS credentials are not configured properly.")
           ```
           This script will print a message if the AWS credentials are not configured properly.
      </Accordion>
    </AccordionGroup>
  </Tab>

  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        The following are the step-by-step instructions to remediate the AWS ACM Certificates Renewal Under 7 Days misconfiguration using the AWS console:

        1. Log in to the AWS Management Console.
        2. Navigate to the AWS Certificate Manager (ACM) console.
        3. Click on the certificate that needs to be renewed.
        4. Click on the "Renew" button.
        5. In the Renew Certificate wizard, choose the validation method that you prefer.
        6. Click on "Review" to review the certificate details.
        7. Verify that the certificate details are correct and click on "Renew Certificate".
        8. Wait for the certificate renewal process to complete.
        9. Once the renewal process is complete, update the certificate in your applications or services that use it.

        Note: It is recommended to set up an automated renewal process for certificates to avoid this misconfiguration in the future.

        #
      </Accordion>

      <Accordion title="Using CLI">
        The following are the step by step instructions on how to remediate the AWS ACM Certificates Renewal Under 7 Days misconfiguration using AWS CLI:

        1. Open your AWS CLI and run the following command to list all the certificates in the us-east-1 region:

        ```
        aws acm list-certificates --region us-east-1
        ```

        2. Identify the certificate that needs to be renewed and make a note of its ARN.

        3. Run the following command to check the expiration date of the certificate:

        ```
        aws acm describe-certificate --certificate-arn <certificate-arn> --region us-east-1
        ```

        Replace `<certificate-arn>` with the ARN of the certificate that needs to be renewed.

        4. If the certificate is expiring in less than 7 days, then it needs to be renewed. Run the following command to request a new certificate:

        ```
        aws acm request-certificate --domain-name <domain-name> --validation-method DNS --region us-east-1
        ```

        Replace `<domain-name>` with the domain name for which the certificate needs to be renewed.

        5. Once the certificate is requested, it needs to be validated. Run the following command to get the CNAME record that needs to be added to the DNS configuration:

        ```
        aws acm describe-certificate --certificate-arn <certificate-arn> --region us-east-1 --query "Certificate.DomainValidationOptions[0].ResourceRecord" --output text
        ```

        6. Add the CNAME record to the DNS configuration of the domain name.

        7. Run the following command to confirm that the certificate is validated:

        ```
        aws acm describe-certificate --certificate-arn <certificate-arn> --region us-east-1 --query "Certificate.DomainValidationOptions[0].ValidationStatus" --output text
        ```

        8. Once the certificate is validated, it can be used. Run the following command to update the certificate:

        ```
        aws acm add-tags-to-certificate --certificate-arn <certificate-arn> --tags Key=Name,Value=<certificate-name> --region us-east-1
        ```

        Replace `<certificate-arn>` with the ARN of the new certificate and `<certificate-name>` with a name for the new certificate.

        9. Finally, update the certificate in the application or service that is using it with the new certificate ARN.

        These steps should remediate the AWS ACM Certificates Renewal Under 7 Days misconfiguration.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the AWS ACM Certificates Renewal Under 7 Days misconfiguration using Python, you can follow these steps:

        1. Import the required libraries: boto3, datetime

        ```
        import boto3
        import datetime
        ```

        2. Create an AWS ACM client object:

        ```
        acm_client = boto3.client('acm')
        ```

        3. Get a list of all the ACM certificates:

        ```
        certificates = acm_client.list_certificates()
        ```

        4. Loop through each certificate and check if it is expiring in less than 7 days:

        ```
        for certificate in certificates['CertificateSummaryList']:
            certificate_details = acm_client.describe_certificate(CertificateArn=certificate['CertificateArn'])
            expiry_date = certificate_details['Certificate']['NotAfter']
            days_left = (expiry_date - datetime.datetime.now()).days
            if days_left < 7:
                # Renew the certificate
                acm_client.renew_certificate(CertificateArn=certificate['CertificateArn'])
        ```

        5. If a certificate is expiring in less than 7 days, renew it using the `renew_certificate` method of the ACM client object.

        6. Save the Python file and run it periodically to check for expiring certificates and renew them automatically.

        Note: Make sure to set up AWS credentials in the environment where you are running the Python script.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html](https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html)
