Rule: ACM Certificates Should Expire Within 30 Days
This rule enforces expiration of ACM certificates within 30 days for compliance.
| Rule | ACM certificates should be set to expire within 30 days |
| Framework | NIST Cybersecurity Framework (CSF) v1.1 |
| Severity | ✔ Medium |
Rule/Policy Description:
The rule dictates that ACM (AWS Certificate Manager) certificates should have an expiration period set within 30 days for compliance with the NIST Cybersecurity Framework (CSF) v1. This policy ensures that certificates expire within a short time frame, promoting regular certificate renewal and enhancing security measures.
Troubleshooting Steps (if any):
If certificates fail to comply with this rule, the following troubleshooting steps can be taken:
- 1.
Verify current certificate expiration: Check the expiration date of the ACM certificates associated with your AWS resources.
- 2.
Review certificate creation process: Ensure that the certificate creation process includes setting an appropriate expiration period within 30 days.
- 3.
Check ACM renewal settings: Confirm that the ACM renewal settings are configured correctly. If automatic renewal is enabled, ensure that the renewal interval is not set to a longer duration.
- 4.
Identify certificate usage: Determine where the certificate is being used within your infrastructure. Identifying all the instances where the certificate is deployed will provide insights into potential impacts if renewal is delayed.
- 5.
Communicate with relevant stakeholders: Inform relevant stakeholders about the certificate renewal process, emphasizing the importance of adhering to the 30-day expiration policy.
Necessary Codes (if any):
No specific code is required for this policy as it focuses on the configuration and expiration of ACM certificates within the required timeframe.
Step-by-Step Guide for Remediation:
To comply with the ACM certificate expiration policy within the NIST CSF v1 framework, follow these steps:
- 1.
Log in to the AWS Management Console.
- 2.
Navigate to the AWS Certificate Manager (ACM) service.
- 3.
Select the appropriate ACM certificate for renewal.
- 4.
Check the expiration date of the selected certificate.
- 5.
If the expiration date exceeds 30 days, take note of all the resource deployments utilizing the certificate.
- 6.
Decide on the appropriate renewal timing considering the impacts on the resources utilizing the certificate. It is recommended to schedule the renewal ahead of the expiration date.
- 7.
Click on the "Renew" button for the certificate.
- 8.
Select the desired validation method depending on your requirements, such as DNS validation or email validation.
- 9.
Follow the guided process to complete the renewal and validate the certificate.
- 10.
Update all resource deployments utilizing the certificate with the renewed ACM certificate.
- 11.
Monitor the status of the renewed certificate to ensure successful deployment across the infrastructure.
- 12.
Set a reminder or automate the renewal process to ensure future certificates adhere to the 30-day expiration policy.
By following these steps, you can effectively remediate and comply with the ACM certificate expiration policy as required by the NIST CSF v1 framework. Remember to periodically review and renew certificates within the 30-day grace period to maintain a robust and secure certificate infrastructure.