Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: ACM Certificates Expiry Within 30 Days

Ensure ACM certificates are configured to expire within 30 days for improved security and compliance.

RuleACM certificates should be set to expire within 30 days
FrameworkSOC 2
Severity
Medium

Rule Description:

ACM certificates should be set to expire within 30 days for SOC 2 compliance.

Policy Explanation:

To comply with SOC 2 requirements, all ACM (AWS Certificate Manager) certificates should have an expiration date set within 30 days. This policy ensures that certificates are regularly renewed and updated, reducing the risk of unauthorized access and maintaining the security of data being transmitted over the network.

Troubleshooting Steps:

If you encounter any issues regarding ACM certificates not expiring within 30 days, follow these troubleshooting steps:

  1. 1.

    Check the existing ACM certificate expiration date: Use the AWS Management Console or AWS CLI to retrieve the expiration date of the certificate in question.

  2. 2.

    Verify the certificate renewal settings: Ensure that the certificate is configured to automatically renew before it reaches the expiration date. Check both the ACM console and the AWS CLI for the certificate's renewal configuration.

  3. 3.

    Confirm the ACM certificate creation date: It is possible that the certificate was created outside of the 30-day expiration window. Verify the date of certificate creation using the ACM console or AWS CLI.

  4. 4.

    Check for any errors or warnings: Review any error messages or warnings that may have been logged during certificate renewal attempts. Address any issues identified in the logs accordingly.

  5. 5.

    Review IAM permissions: Ensure that the user or role attempting to renew the certificate has the necessary IAM (Identity and Access Management) permissions to perform the renewal action.

  6. 6.

    Ensure AWS service integration: Confirm that the ACM certificate is properly integrated with the AWS services where it is being used. Incorrect integration may prevent the certificate from being renewed automatically.

Required Code:

No specific code is required for this policy. However, you might need to use AWS CLI commands or AWS SDKs for automation purposes, if desired. These commands may vary depending on the specific use case and certificate management method chosen.

Remediation Steps:

To remediate the issue of ACM certificates not expiring within 30 days, follow these steps:

  1. 1.

    Identify certificates with expiration dates exceeding 30 days: Use the AWS Management Console or AWS CLI to list all ACM certificates and their corresponding expiration dates.

  2. 2.

    Update renewal settings: For each certificate that does not meet the 30-day expiration requirement, modify the renewal settings to ensure automatic renewal occurs within the desired timeframe. This can be done either through the ACM console or AWS CLI.

  3. 3.

    Test the renewal process: After updating the renewal settings, wait for the renewal process to trigger automatically or initiate it manually. Monitor the renewal process and verify if the expiration date is adjusted to within 30 days.

  4. 4.

    Configure expiry notifications: Set up expiry notifications to ensure proactive management of certificate renewals. This can be done using the ACM console or AWS CLI.

  5. 5.

    Implement automation: To ensure ongoing compliance with the policy, consider automating the renewal process using AWS Lambda functions or other scripting methods. This ensures that certificates are regularly checked and renewed before they expire.

  6. 6.

    Regularly review and monitor: Continuously monitor and review ACM certificates to ensure that they are renewed within the set 30-day expiration window. Periodically check the expiration dates and make adjustments as needed.

By following these steps, you can ensure that ACM certificates are set to expire within 30 days, maintaining SOC 2 compliance and enhancing the security of your AWS infrastructure.

Is your System Free of Underlying Vulnerabilities?
Find Out Now