Rule: ACM Certificates Expiry Within 30 Days
This rule ensures ACM certificates are set to expire within a 30-day period.
| Rule | ACM certificates should be set to expire within 30 days |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Medium |
Rule Description: ACM Certificates Expiry Rule for CISA Cyber Essentials
Rule Summary:
All ACM (Amazon Certificate Manager) certificates for the CISA Cyber Essentials environment should have an expiration date set within 30 days. This is to ensure that certificates are regularly renewed and secure.
Troubleshooting Steps:
If there is an issue with an ACM certificate's expiration date exceeding 30 days, follow these troubleshooting steps:
- 1.
Verify Certificate Expiry Date: Check the current expiry date of the ACM certificate associated with the CISA Cyber Essentials environment. This can be done by navigating to the AWS Management Console and selecting the ACM service. Locate the specific certificate and review its expiry date.
- 2.
Check Certificate Auto-Renewal: Ensure that the ACM certificate has the auto-renewal feature enabled. This allows the certificate to be automatically renewed within the specified timeframe, helping to avoid expiration.
- 3.
Review Certificate Renewal Settings: Confirm that the renewal settings for the ACM certificate are configured correctly. The settings should specify a renewal window of less than 30 days to ensure compliance with the CISA Cyber Essentials requirement.
- 4.
Verify Certificate Workflow: If the certificate is manually renewed, ensure that the renewal process is followed in a timely manner, well before the certificate's expiration. This includes requesting a new certificate, configuring it, and updating any relevant systems or applications with the renewed certificate.
Remediation Guide:
Follow these steps to remediate an ACM certificate that exceeds the 30-day expiration period:
- 1.
Identify the Certificate: Identify the ACM certificate associated with the CISA Cyber Essentials environment that has an expiry date exceeding 30 days.
- 2.
Configure Auto-Renewal: Enable the auto-renewal feature for the certificate. This can be done through the AWS Management Console by selecting the ACM service, locating the certificate, and ensuring the auto-renewal setting is turned on.
- 3.
Update Renewal Settings: Adjust the renewal settings for the certificate to have a renewal window that is within the required 30-day timeframe. Again, this can be done via the AWS Management Console by selecting the ACM service, finding the specific certificate, and modifying the renewal settings accordingly.
- 4.
Manually Renew the Certificate (if applicable): If the certificate is renewed manually, follow these steps to ensure it is renewed within the required period:
Request a new certificate using the AWS Management Console or the ACM API, depending on your preference and knowledge level.
Configure the newly issued certificate with the required details and specifications.
Update any relevant systems or applications that use the certificate with the renewed certificate. This may involve updating the certificate in load balancers, web servers, or other associated services.
- 5.
Verify Compliance: Once the certificate is renewed or its settings are updated, review the expiration date to ensure it falls within the 30-day timeframe as per the CISA Cyber Essentials requirement.
Recommended CLI Command:
In most cases, the necessary remediation steps can be completed through the AWS Management Console. However, here is an example of a CLI command to enable ACM certificate auto-renewal:
aws acm update-certificate --certificate-arn <certificate-arn> --renewal-summary=RENEWAL_IN_DAYS --auto-renew --profile <profile-name>
Replace
<certificate-arn><profile-name>RENEWAL_IN_DAYSPlease note that the exact commands and parameters may vary based on your specific environment and requirements. It is recommended to refer to the AWS CLI documentation for accurate and up-to-date information on ACM certificate management.