AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS ACM Certificates Renewal Under 30 Days
More Info:
Ensure that your SSL/TLS certificates managed by AWS ACM are renewed 30 days before their validity period ends. Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other AWS resources such as Elastic Load Balancers, CloudFront distributions or APIs on Amazon API Gateway.
Risk Level
Medium
Address
Security
Compliance Standards
NIST
Triage and Remediation
Check Cause
- Log in to the AWS Management Console and navigate to the API Gateway service.
- In the API Gateway dashboard, select the APIs that you want to examine.
- In the API details page, select the “Stages” option from the left navigation panel.
- In the Stages section, check the “Client Certificate for Endpoint Verification” field. If the certificate is set to expire in less than 30 days, it indicates a misconfiguration.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the ACM and API Gateway services.
-
Once the AWS CLI is set up, you can list all the ACM Certificates using the following command:
aws acm list-certificates --region your-region
This command will return a list of Certificate ARNs.
- Now, for each Certificate ARN, you can describe the certificate to get its details including the expiration date. Use the following command:
aws acm describe-certificate --certificate-arn your-certificate-arn --region your-region
This command will return the certificate details in JSON format. Look for the ‘NotAfter’ field in the ‘Certificate’ object. This field contains the expiration date of the certificate.
- Now, you can write a script to compare the current date with the ‘NotAfter’ date. If the difference is less than 30 days, then the certificate is due for renewal in less than 30 days. Here is a simple Python script to do this:
import datetime
import json
import subprocess
# Get the current date
current_date = datetime.datetime.now()
# List all the ACM Certificates
command = 'aws acm list-certificates --region your-region'
process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
# Parse the output to get the Certificate ARNs
certificates = json.loads(output)['CertificateSummaryList']
for certificate in certificates:
certificate_arn = certificate['CertificateArn']
# Describe the certificate to get its details
command = 'aws acm describe-certificate --certificate-arn ' + certificate_arn + ' --region your-region'
process = subprocess.Popen(command.split(), stdout=subprocess.PIPE)
output, error = process.communicate()
# Parse the output to get the 'NotAfter' date
not_after = json.loads(output)['Certificate']['NotAfter']
# Compare the current date with the 'NotAfter' date
if (not_after - current_date).days < 30:
print('Certificate ' + certificate_arn + ' is due for renewal in less than 30 days.')
This script will print the ARNs of all the ACM Certificates that are due for renewal in less than 30 days.
-
Setup AWS SDK (Boto3) in Python Environment: First, you need to set up AWS SDK (Boto3) in your Python environment. You can install it using pip:
pip install boto3Then, configure your AWS credentials either by setting up environment variables or by using AWS CLI.
-
List all ACM Certificates: Use the
list_certificatesmethod from theboto3client for ACM to get all the certificates. Here is a sample script:import boto3 import datetime # Create ACM client acm = boto3.client('acm') # List all certificates response = acm.list_certificates() for certificate in response['CertificateSummaryList']: certificate_arn = certificate['CertificateArn'] -
Get Certificate Details: For each certificate, get the details using the
describe_certificatemethod. This will give you the certificate’s expiry date.certificate_detail = acm.describe_certificate(CertificateArn=certificate_arn) expiry_date = certificate_detail['Certificate']['NotAfter'] -
Check if Certificate is Expiring in Less Than 30 Days: Compare the expiry date with the current date. If the difference is less than 30 days, then the certificate is due for renewal.
current_date = datetime.datetime.now(expiry_date.tzinfo) days_to_expiry = (expiry_date - current_date).days if days_to_expiry < 30: print(f"Certificate {certificate_arn} is due for renewal in {days_to_expiry} days.")This script will print out the ARN of all certificates that are due for renewal in less than 30 days.