This rule states that ACM certificates must be set to expire within 30 days to ensure security compliance.
Rule | ACM certificates should be set to expire within 30 days |
Framework | NIST 800-171 Revision 2 |
Severity | ✔ Medium |
Rule Description: To comply with the NIST 800-171 Revision 2 standard, it is necessary to ensure that ACM (Amazon Certificate Manager) certificates are set to expire within 30 days. This ensures the regular renewal of certificates and helps maintain a secure environment for online services.
Troubleshooting Steps: If the ACM certificates are not set to expire within 30 days, here are some troubleshooting steps to rectify the issue:
Necessary Codes: Depending on your specific requirements and infrastructure, the following code snippet can be used to set the expiration of ACM certificates to within 30 days:
import boto3 import datetime # Connect to the ACM service acm_client = boto3.client('acm', region_name='your_region_name') # List the ACM certificates response = acm_client.list_certificates() # Iterate through each certificate for cert in response['CertificateSummaryList']: # Retrieve the ACM certificate details cert_details = acm_client.describe_certificate(CertificateArn=cert['CertificateArn']) # Check if the certificate is issued by ACM if cert_details['Certificate']['Issuer'].startswith('Amazon'): # Retrieve the current expiration date expiration_date = cert_details['Certificate']['NotAfter'] # Calculate the remaining days until expiration remaining_days = (expiration_date - datetime.datetime.now().replace(tzinfo=None)).days # Check if the remaining days are greater than 30 if remaining_days > 30: # Set the desired expiration date to 30 days from now desired_expiration_date = datetime.datetime.now() + datetime.timedelta(days=30) # Issue a renewal for the certificate with the desired expiration date acm_client.renew_certificate(CertificateArn=cert['CertificateArn'], NotAfter=desired_expiration_date)
Step-by-Step Guide for Remediation:
'your_region_name'
with the appropriate AWS region name (e.g., 'us-east-1'
).
v. Execute the code, which will automatically renew the certificate to expire within 30 days.
e. Repeat steps a-e for each relevant ACM certificate.By following this step-by-step guide, you can ensure that all ACM certificates in your environment expire within 30 days, aligning with the NIST 800-171 Revision 2 requirements.