More Info:

Ensure that all the requests made during SSL/TLS certificate issue or renewal process are validated. These requests are managed within your account by the Amazon Certificate Manager (ACM), an AWS service that lets you provision, deploy and maintain SSL/TLS certificates for use with other AWS resources such as ELB load balancers, CloudFront distributions or APIs via Amazon API Gateway.

Risk Level

Medium

Address

Security

Compliance Standards

PCIDSS, NIST

Remediation

How to ensure that API gateway ACM certificates are valid.

Using AWS Console

  1. Verify the certificate status in ACM:
    • Go to the AWS Management Console and navigate to the ACM service.
    • Select the region where your API Gateway ACM certificates are provisioned.
    • Check the list of certificates and verify the status of each certificate.
    • The valid certificates should have a status of “Issued.”
  2. Check the expiration date:
    • Review the expiration date of each certificate. (In the Cloudanix Console, navigate to “Misconfig” page and look for Affected Assets for “AWS ACM Certificates Not Valid” Policy.)
    • Ensure that the certificates are not expired or nearing their expiration date.
    • Renew or replace any certificates that are close to expiration.
  3. Monitor certificate health:
    • Enable automatic renewal and monitoring for ACM certificates.
    • ACM provides automated monitoring and renewal of certificates, helping to ensure their ongoing validity.
    • Configure notifications or alarms to alert you if any issues arise with the certificates.
  4. Set up certificate expiration reminders:
    • Establish a process or reminder system to proactively track the expiration dates of ACM certificates.
    • This can help you stay ahead of certificate renewals and prevent any disruptions due to expired certificates.
  5. Implement certificate rotation practices:
    • Consider implementing a regular certificate rotation schedule to maintain up-to-date and valid certificates.
    • Rotate certificates periodically, even if they haven’t reached their expiration date, to enhance security and stay current with best practices.
  6. Monitor API Gateway integration and deployment:
    • Regularly review and monitor the integration between API Gateway and ACM certificates.
    • Ensure that API Gateway is using the correct and valid ACM certificates for your APIs.
    • Verify that the certificate bindings are correctly configured for each API and stage.

Additional Reading: