Rule: ACM Certificates Should Expire Within 30 Days
This rule emphasizes setting ACM certificates to expire within 30 days for enhanced security measures.
| Rule | ACM certificates should be set to expire within 30 days |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Medium |
Rule Description:
The rule requires that ACM (Amazon Certificate Manager) certificates be set to expire within 30 days for FedRAMP Low Revision 4 compliance. This is to ensure that certificate renewals and updates are regularly addressed for improved security and compliance with the FedRAMP Low baseline.
Troubleshooting Steps:
If a certificate is set to expire beyond the permitted 30-day limit, you will need to take the following troubleshooting steps:
- 1.
Identify the affected certificate: Review the list of ACM certificates in your AWS account and identify the certificate that is set to expire beyond 30 days.
- 2.
Determine the renewal status: Check if the certificate is already scheduled for renewal or if any renewal attempts have failed.
- 3.
Verify certificate validity: Confirm that the certificate in question is valid and functioning as intended.
- 4.
Review certificate usage: Ensure that the certificate is being used in the intended manner and is associated with the relevant resources or services.
- 5.
Contact AWS support: If the issue persists or requires further assistance, reach out to AWS support for additional guidance and troubleshooting.
Necessary Codes:
There are no specific codes related to this policy. However, the ACM service provides APIs and SDKs that can be utilized for automated certificate management and renewal.
Remediation Steps:
To remediate the expiration time of an ACM certificate and set it to expire within 30 days, follow the steps below:
- 1.
Access the AWS Management Console: Log in to the AWS Management Console using your AWS account credentials.
- 2.
Open the ACM service: Navigate to the ACM (Amazon Certificate Manager) service.
- 3.
Locate the certificate: Find the certificate that needs to be remediated from the list of certificates displayed.
- 4.
Select the certificate: Click on the checkbox next to the certificate to select it.
- 5.
Choose "Actions": In the top-right corner, click on the "Actions" button.
- 6.
Select "Renew": From the dropdown menu, select "Renew Certificate."
- 7.
Review certificate details: Ensure that the certificate details, including domain names and subject alternative names, are accurate and up to date.
- 8.
Set the expiration time: When prompted, adjust the certificate's expiration time to be within 30 days. This can typically be done by selecting the appropriate option from a dropdown menu or entering a specific date.
- 9.
Confirm renewal: Review the changes made and confirm the certificate renewal.
- 10.
Update resources: If the certificate is associated with any resources or services, ensure that these are updated to use the renewed certificate with the adjusted expiration time.
- 11.
Verify functionality: Test the renewed certificate to confirm that it is functioning correctly and successfully deployed across the required services.
- 12.
Monitor certificate expiration: Regularly monitor the expiration dates of ACM certificates to proactively manage renewals and prevent any non-compliant certificates.
By following these steps, you will remediate the expiration time of an ACM certificate to comply with the FedRAMP Low Revision 4 requirement of expiring within 30 days.