More Info:

Ensure that all the expired Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates managed by AWS Certificate Manager are removed in order to adhere to Amazon Security Best Practices. Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other Amazon services such as Elastic Load Balancing and CloudFront.

Risk Level

High

Address

Security

Compliance Standards

NIST

Triage and Remediation

Check Cause

Using Console

  1. Log in to the AWS Management Console and open the API Gateway console at https://console.aws.amazon.com/apigateway/.
  2. In the navigation pane, choose ‘APIs’.
  3. In the APIs pane, choose the API you want to check.
  4. In the API details pane, choose ‘Custom Domain Names’. This will display a list of custom domain names associated with the API.
  5. For each custom domain name, check the ‘ACM Certificate’ column. If the certificate is expired, the status will be ‘Expired’.
  1. Install and configure AWS CLI: Before you can start using AWS CLI, you need to install it on your local machine and configure it with your AWS account credentials. You can do this by running the following commands: 
    pip install awscli
aws configure
    You will be prompted to provide your AWS Access Key ID, Secret Access Key, Default region name, and Default output format.
  2. List all API Gateways: Use the following command to list all the API Gateways in your AWS account: 
    aws apigateway get-rest-apis
    This command will return a list of all the REST APIs in your account.
  3. Get the details of each API: For each API in the list, use the following command to get its details: 
    aws apigateway get-rest-api --rest-api-id {rest-api-id}
    Replace {rest-api-id} with the ID of the API you want to check. This command will return the details of the specified API, including its name, ID, and description.
  4. Check the ACM Certificate: In the details of each API, look for the clientCertificateId field. This field contains the ID of the ACM Certificate associated with the API. Use the following command to get the details of the certificate: 
    aws acm describe-certificate --certificate-arn {certificate-arn}
    Replace {certificate-arn} with the ARN of the certificate you want to check. This command will return the details of the certificate, including its status and expiration date. If the status is EXPIRED, then the certificate has expired.
  1. Install the necessary Python libraries: To interact with AWS services, you need to install the AWS SDK for Python (Boto3). You can install it using pip: 
    pip install boto3
  2. Configure AWS Credentials: Before you can begin using Boto3, you need to set up authentication credentials for your AWS account using either the AWS CLI or by creating a credentials file manually. The credentials should have permissions to access the ACM and API Gateway services.
  3. Create a Python script to list all the API Gateways and their associated ACM certificates: 
    import boto3

def get_api_gateways():
    client = boto3.client('apigateway')
    response = client.get_rest_apis()
    return response['items']

def get_certificate_arn(api):
    client = boto3.client('apigateway')
    response = client.get_domain_names()
    for domain in response['items']:
        if domain['domainName'] == api['name']:
            return domain['certificateArn']
    return None

apis = get_api_gateways()
for api in apis:
    certificate_arn = get_certificate_arn(api)
    if certificate_arn:
        print(f"API: {api['name']}, Certificate ARN: {certificate_arn}")
  4. Create a Python script to check the expiration date of the ACM certificates: 
    import boto3
from datetime import datetime

def get_certificate_expiration_date(certificate_arn):
    client = boto3.client('acm')
    response = client.describe_certificate(
        CertificateArn=certificate_arn
    )
    return response['Certificate']['NotAfter']

certificate_arns = [...]  # List of certificate ARNs obtained from the previous script
for arn in certificate_arns:
    expiration_date = get_certificate_expiration_date(arn)
    if expiration_date < datetime.now():
        print(f"Certificate with ARN {arn} has expired.")
This script will print out the ARN of all the ACM certificates associated with API Gateways that have expired.

Additional Reading: