Posted On: Mar 3, 2021
AWS Certificate Manager (ACM) now publishes certificate metrics and events through Amazon CloudWatch and Amazon EventBridge. Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates are used to secure network communication and establish the identity of websites over the internet. Certificates have a defined lifetime and for continued use need to be renewed before they expire. These new metrics and events help administrators keep track of certificate expiration dates and take necessary action or configure automation to prevent certificate expiry and related outages.
ACM lets you easily provision, manage, and deploy public and private SSL/TLS certificates. ACM provides managed renewal to automatically renew certificates in most cases. However there are exceptions where user action is needed for certificate renewal. For example, ACM does not attempt to renew third-party certificates that are imported. Also, an administrator needs to reconfigure missing DNS records for certificates that use DNS validation if the record was removed for any reason after the certificate was issued. Metrics and events provides you visibility into such certificates that require intervention to continue the renewal process. A certificate that isn’t renewed expires, which can lead to a website or an application being unavailable.
Amazon CloudWatch metrics and Amazon EventBridge events are enabled for all certificates that are managed by ACM. Users can monitor “days to expiry” as a metric for ACM certificates through Amazon CloudWatch. An Amazon EventBridge expiry event is published for any certificate that is at least 45 days away from expiry by default. Users can build alarms to monitor certificates based on days to expiry and also trigger custom actions such as calling a Lambda function or paging an administrator. Please refer to examples here for certificate expiry event format and handling.