How can I be notified when my ACM imported certificates are near expiration?

6 minute read

I imported an AWS Certificate Manager (ACM) certificate, and I want a reminder to reimport the certificate before it expires.

Short description

ACM doesn't provide managed renewal for imported certificates. To renew an imported certificate, first request a new certificate from your certificate issuer. Then, manually reimport the certificate into ACM.

To get a notification that your certificate is about to expire, use one of the following methods:

Use the ACM API in Amazon EventBridge to configure the ACM Certificate Approaching Expiration event.
Create a custom EventBridge rule to receive email notifications when certificates are nearing the expiration date.
Use AWS Config to check for certificates that are nearing the expiration date.

If you use AWS Config for this resolution, then be aware of the following:

Before you set up the AWS Config rule, create the Amazon Simple Notification Service (Amazon SNS) topic and EventBridge rule. This makes sure that all non-compliant certificates invoke a notification before the expiration date.
Activating AWS Config incurs an additional cost based on usage. For more information, see AWS Config pricing.

Resolution

Configure the "ACM Certificate Approaching Expiration" event in EventBridge

ACM sends notifications for events that are near their expiration date through Amazon CloudWatch. By default, the ACM Certificate Approaching Expiration event sends notifications 45 days before an event's expiration. To configure the timing on this notification, first add this event as a rule in EventBridge:

1. Open the Amazon EventBridge console.

In the navigation pane, choose Rules, and then choose Create rule.

3. Enter a Name for your rule. The Description field is optional.

Note: You must uniquely name rules that are in the same AWS Region and on the same event bus.

4. For Event bus, choose the event bus to associate with this rule. To match this rule with events that come from your account, select AWS default event bus. In this case, when an AWS service in your account emits an event, it always goes to your account’s default event bus.

5. For Rule type, choose Rule with an event pattern, and then choose Next.

6. For Event source, choose AWS events or EventBridge partner events.

7. For Creation method,select Use pattern form option.

8. In the Event pattern section, complete the following fields as noted:

For Event source, choose AWS Services.

For AWS service, choose Certificate Manager.

For Event type, choose ACM Certificate Approaching Expiration.

9. Choose Next.

10. For Target types, choose AWS Service.

For Select a target, select SNS topic, and then select the topic that you want to configure expiration notifications for.
Choose Next.

(Optional) Add tags.

13. Choose Next.

Review the rule's details, and then choose Create rule.

After you create this rule, you can change the timing of the expiration notification. Enter a value of 1-45 for DaysBeforeExpiry in the PutAccountConfiguration action of the ACM API. For more information, see ACM Certificate Approaching Expiration event.

If you want to set up notifications for more than 45 days before an event's expiration, then use the alternative following methods.

Create a custom EventBridge rule

Use a custom event pattern with an EventBridge rule to match the AWS Config managed rule acm-certificate-expiration-check. Then, route the response to an Amazon Simple Notification Service topic.

1. If you didn't create an Amazon SNS topic, then follow the instructions for Getting started with Amazon SNS.

Note: The Amazon SNS topic must be in the same AWS Region as your AWS Config service.

2. Open the EventBridge console, and then choose Rules.

3. Choose Create rule.

4. For Name, enter a name for your rule.

5. In Rule type, choose Rule with and event pattern, and then choose Next.

6. In Event source, choose AWS events or EventBridge partner events.

7. In the Event pattern, choose Custom patterns (JSON editor).

8. In the Event pattern preview pane, copy and paste the following event pattern:

{
  "source": [
    "aws.config"
  ],
  "detail-type": [
    "Config Rules Compliance Change"
  ],
  "detail": {
    "messageType": [
      "ComplianceChangeNotification"
    ],
    "configRuleName": [
      "acm-certificate-expiration-check"
    ],
    "resourceType": [
      "AWS::ACM::Certificate"
    ],
    "newEvaluationResult": {
      "complianceType": [
        "NON_COMPLIANT"
      ]
    }
  }
}

9. Choose Next.

10. For Select a target, choose SNS topic.

For Topic, choose your SNS topic.

12. In the Configure target input dropdown list, choose Input transformer.

13. Choose Configure input transformer.

14. In the Input path text box, copy and paste the following path:

{
  "awsRegion": "$.detail.awsRegion",
  "resourceId": "$.detail.resourceId",
  "awsAccountId": "$.detail.awsAccountId",
  "compliance": "$.detail.newEvaluationResult.complianceType",
  "rule": "$.detail.configRuleName",
  "time": "$.detail.newEvaluationResult.resultRecordedTime",
  "resourceType": "$.detail.resourceType"
}

15. In the Input Template text box, copy and paste the following template:

"On <time> AWS Config rule <rule> evaluated the <resourceType> with Id <resourceId> in the account <awsAccountId> region <awsRegion> as <compliance>."

"For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration."

16. Choose Confirm, Next, Next, Create rule.

17. If an event type is initiated, then you receive an SNS email notification with the custom fields populated from step 14 similar to the following:

"On ExampleTime AWS Config rule ExampleRuleName evaluated the ExampleResourceType with Id ExampleResource_ID in the account ExampleAccount_Id in Region ExampleRegion as ExamplecomplianceType. 

For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=ExampleRegion#/timeline/ExampleResourceType/ExampleResource_ID/configuration"

Create an AWS Config rule

1. Open the AWS Config console, choose Rules, and then choose Add rule.

2. In Select rule type, choose Add AWS managed rule.

3. In AWS Managed Rules, choose acm-certificate-expiration-check, and then choose Next.

4. In Parameters, for the daysToExpiration key, in Value, enter the number of days that you want the rule to trigger before expiration.

Note: For certificates nearing the expiration date from the number of days that you enter, the AWS Config rule acm-certificate-expiration-check is marked as Noncompliant.

5. Choose Next, and then choose Add rule.

Related information

Issuing and managing certificates

How can I be notified when an AWS resource is non-compliant using AWS Config?

Security best practices for AWS Config

Topics

Security, Identity, & Compliance

Relevant content

ACM Certificate not getting renewed
virenderdubey88
asked 2 years ago
AWS certificate manager certificate renewal
vasylkhtei
asked 2 years ago
AWS Certificate Manager (ACM) was unable to renew the certificate
Accepted Answer
rePost-User-0784295
asked a year ago
ACM certificate renewal
Accepted Answer
Shajan Thomas
asked 3 months ago
Amazon Certificate Manager (ACM) certificate re-import
Accepted Answer
AWS-User-9422387
asked 5 years ago
Why is my ACM certificate marked as ineligible for renewal?
AWS OFFICIALUpdated 9 months ago
Why is my certificate renewal still pending after I validated my domain names using the ACM managed renewal process?
AWS OFFICIALUpdated 2 years ago
How does the ACM managed renewal process work with email-validated certificates?
AWS OFFICIALUpdated 2 years ago
Why did my publicly trusted ACM certificate fail managed renewal?
AWS OFFICIALUpdated 2 years ago
Announcement: RDS/Aurora SSL/TLS Certificates are expiring between May and October 2024
EXPERT
randyyoung
published a month ago