Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: ACM Certificates Expiry Within 30 Days

This rule states that ACM certificates must be set to expire within 30 days to ensure security compliance.

RuleACM certificates should be set to expire within 30 days
FrameworkNIST 800-171 Revision 2
Severity
Medium

Rule Description: To comply with the NIST 800-171 Revision 2 standard, it is necessary to ensure that ACM (Amazon Certificate Manager) certificates are set to expire within 30 days. This ensures the regular renewal of certificates and helps maintain a secure environment for online services.

Troubleshooting Steps: If the ACM certificates are not set to expire within 30 days, here are some troubleshooting steps to rectify the issue:

  1. 1.
    Check the current expiration date of the ACM certificates.
  2. 2.
    Verify if any renewal actions have been taken before the current expiration date.
  3. 3.
    Ensure that the necessary configuration and settings are in place to automatically renew the certificates within the desired 30-day timeframe.

Necessary Codes: Depending on your specific requirements and infrastructure, the following code snippet can be used to set the expiration of ACM certificates to within 30 days:

import boto3
import datetime

# Connect to the ACM service
acm_client = boto3.client('acm', region_name='your_region_name')

# List the ACM certificates
response = acm_client.list_certificates()

# Iterate through each certificate
for cert in response['CertificateSummaryList']:
    # Retrieve the ACM certificate details
    cert_details = acm_client.describe_certificate(CertificateArn=cert['CertificateArn'])
    
    # Check if the certificate is issued by ACM
    if cert_details['Certificate']['Issuer'].startswith('Amazon'):
        # Retrieve the current expiration date
        expiration_date = cert_details['Certificate']['NotAfter']
        
        # Calculate the remaining days until expiration
        remaining_days = (expiration_date - datetime.datetime.now().replace(tzinfo=None)).days
        
        # Check if the remaining days are greater than 30
        if remaining_days > 30:
            # Set the desired expiration date to 30 days from now
            desired_expiration_date = datetime.datetime.now() + datetime.timedelta(days=30)
            
            # Issue a renewal for the certificate with the desired expiration date
            acm_client.renew_certificate(CertificateArn=cert['CertificateArn'], NotAfter=desired_expiration_date)

Step-by-Step Guide for Remediation:

  1. 1.
    Access your AWS environment and open the AWS Management Console.
  2. 2.
    Navigate to the ACM service. You can do this by searching for "ACM" in the search bar and selecting "Certificate Manager" from the suggested results.
  3. 3.
    In the ACM dashboard, click on "Certificates" in the left-hand menu.
  4. 4.
    Review the list of certificates displayed and identify the ones issued by ACM.
  5. 5.
    For each ACM certificate: a. Click on the certificate's ARN (Amazon Resource Name) to access its details. b. Note the current expiration date of the certificate. c. Calculate the remaining days until expiration and ensure it is more than 30 days. d. If the remaining days are greater than 30: i. Determine the desired expiration date to be set (e.g., 30 days from the current date). ii. Open a terminal or use a Python IDE that supports the Boto3 library. iii. Copy and paste the necessary code snippet mentioned above. iv. Replace
    'your_region_name'
    with the appropriate AWS region name (e.g.,
    'us-east-1'
    ). v. Execute the code, which will automatically renew the certificate to expire within 30 days. e. Repeat steps a-e for each relevant ACM certificate.

By following this step-by-step guide, you can ensure that all ACM certificates in your environment expire within 30 days, aligning with the NIST 800-171 Revision 2 requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now