AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
AWS ACM Certificates Renewal Under 7 Days
More Info:
Ensure that your SSL/TLS certificates managed by AWS ACM are renewed 7 days before their validity period ends. Certificate Manager is the AWS service that lets you easily provision, manage, and deploy SSL/TLS certificates for use with other AWS resources such as Elastic Load Balancers, CloudFront distributions or APIs on Amazon API Gateway.
Risk Level
High
Address
Security
Compliance Standards
NIST
Triage and Remediation
Check Cause
- Log in to the AWS Management Console and navigate to the API Gateway service.
- In the API Gateway dashboard, select the APIs that you want to examine.
- In the API details page, select the “Stages” option from the left-hand navigation panel.
- In the Stages section, check the “Client Certificate for Endpoint Verification” field. If the certificate is due to expire in less than 7 days, it is a misconfiguration.
-
First, you need to install and configure AWS CLI on your local machine. You can do this by following the instructions provided by AWS. Make sure you have the necessary permissions to access the ACM and API Gateway services.
-
Once the AWS CLI is set up, you can list all the ACM Certificates using the following command:
aws acm list-certificates --region your-regionReplace ‘your-region’ with the region where your ACM Certificates are located. This command will return a list of Certificate ARNs.
-
For each Certificate ARN, you can describe the certificate to get its details, including the renewal status. Use the following command:
aws acm describe-certificate --certificate-arn your-certificate-arn --region your-regionReplace ‘your-certificate-arn’ with the ARN of the certificate you want to check, and ‘your-region’ with the region where the certificate is located. Look for the ‘RenewalSummary’ field in the output. If the ‘RenewalStatus’ is ‘PENDING_VALIDATION’, it means the certificate is due for renewal.
-
To check if the certificate is used in API Gateway, list all the Rest APIs in API Gateway using the following command:
aws apigateway get-rest-apis --region your-regionFor each Rest API, get its details using the following command:
aws apigateway get-rest-api --rest-api-id your-rest-api-id --region your-regionReplace ‘your-rest-api-id’ with the ID of the Rest API you want to check, and ‘your-region’ with the region where the Rest API is located. If the ‘endpointConfiguration’ field contains the ARN of the certificate, it means the certificate is used in the Rest API.
-
Install and configure AWS SDK for Python (Boto3): You need to install Boto3 in your local environment. You can install it using pip:
pip install boto3After installing Boto3, you need to configure it. You can configure it using AWS CLI:
aws configureIt will ask for your AWS Access Key ID, Secret Access Key, Default region name, and Default output format. You can get these details from your AWS account.
-
Use Boto3 to list all the ACM Certificates: You can use the
list_certificatesmethod of ACM client in Boto3 to list all the ACM Certificates. Here is a sample script:import boto3 # Create ACM client acm = boto3.client('acm') # List certificates with the pagination interface paginator = acm.get_paginator('list_certificates') for response in paginator.paginate(): for certificate in response['CertificateSummaryList']: print(certificate)This script will print all the ACM Certificates in your AWS account.
-
Check the renewal status of each certificate: You can use the
describe_certificatemethod of ACM client in Boto3 to get the details of each certificate. Here is a sample script:import boto3 from datetime import datetime, timedelta # Create ACM client acm = boto3.client('acm') # List certificates with the pagination interface paginator = acm.get_paginator('list_certificates') for response in paginator.paginate(): for certificate in response['CertificateSummaryList']: # Describe the specified certificate response = acm.describe_certificate( CertificateArn=certificate['CertificateArn'] ) # Get the renewal eligibility renewal_eligibility = response['Certificate']['RenewalEligibility'] # Get the not_after date not_after = response['Certificate']['NotAfter'] # Check if the certificate is eligible for renewal and will expire in less than 7 days if renewal_eligibility == 'ELIGIBLE' and not_after < datetime.now() + timedelta(days=7): print(f"Certificate {certificate['CertificateArn']} is eligible for renewal and will expire in less than 7 days.")This script will print all the ACM Certificates in your AWS account that are eligible for renewal and will expire in less than 7 days.
-
Handle the exceptions: You should handle the exceptions in your script to make it robust. For example, you can handle the
NoCredentialsErrorexception if the AWS credentials are not configured properly. Here is a sample script:import boto3 from botocore.exceptions import NoCredentialsError from datetime import datetime, timedelta try: # Create ACM client acm = boto3.client('acm') # List certificates with the pagination interface paginator = acm.get_paginator('list_certificates') for response in paginator.paginate(): for certificate in response['CertificateSummaryList']: # Describe the specified certificate response = acm.describe_certificate( CertificateArn=certificate['CertificateArn'] ) # Get the renewal eligibility renewal_eligibility = response['Certificate']['RenewalEligibility'] # Get the not_after date not_after = response['Certificate']['NotAfter'] # Check if the certificate is eligible for renewal and will expire in less than 7 days if renewal_eligibility == 'ELIGIBLE' and not_after < datetime.now() + timedelta(days=7): print(f"Certificate {certificate['CertificateArn']} is eligible for renewal and will expire in less than 7 days.") except NoCredentialsError: print("AWS credentials are not configured properly.")This script will print a message if the AWS credentials are not configured properly.