How can I be notified when my ACM imported certificates are near expiration?

Last updated: 2022-07-19

I imported an AWS Certificate Manager (ACM) certificate. I want to reimport the certificate before it expires. How can I be notified before my imported certificate expires?

Short description

ACM doesn't provide managed renewal for imported certificates. To renew an imported certificate, first request a new certificate from your certificate issuer. Then, manually reimport the certificate into ACM.

Resolution

You can use AWS Config to check for certificates that are nearing the expiration date. You can also use Amazon EventBridge to receive email notifications when certificates are nearing the expiration date.

Note:

  • Enabling AWS Config incurs an additional cost based on usage. For more information, see AWS Config pricing.
  • Make sure that the Amazon Simple Notification Service (Amazon SNS) topic and Amazon EventBridge rule are created before the AW  Config rule is set up. Doing this makes sure that all non-compliant certificates trigger a notification before the expiration date.

Create an EventBridge rule

Use a custom event pattern with an EventBridge rule to match the AWS Config managed rule acm-certificate-expiration-check. Then, route the response to an Amazon Simple Notification Service topic.

1.    If you haven't already created an Amazon SNS topic, then follow the instructions for Getting started with Amazon SNS.

Note: The Amazon SNS topic must be in the same Region as your AWS Config service.

2.    Open the EventBridge console, and then choose Rules.

3.    Choose Create rule.

4.    For Name, enter a name for your rule.

5.    In Rule type, choose Rule with and event pattern, and then choose Next.

6.    In Event source, choose AWS events or EventBridge partner events.

7.    In the Event pattern, choose Custom patterns (JSON editor).

8.    In the Event pattern preview pane, copy and paste the following event pattern:

{
  "source": [
    "aws.config"
  ],
  "detail-type": [
    "Config Rules Compliance Change"
  ],
  "detail": {
    "messageType": [
      "ComplianceChangeNotification"
    ],
    "configRuleName": [
      "acm-certificate-expiration-check"
    ],
    "resourceType": [
      "AWS::ACM::Certificate"
    ],
    "newEvaluationResult": {
      "complianceType": [
        "NON_COMPLIANT"
      ]
    }
  }
}

8.    Choose Next.

9.    For Select a target, choose SNS topic.

10.    For Topic, choose your SNS topic.

11.    In the Configure target input dropdown list, choose Input transformer.

12.    Choose Configure input transformer.

13.    In the Input path text box, copy and paste the following path:

{
  "awsRegion": "$.detail.awsRegion",
  "resourceId": "$.detail.resourceId",
  "awsAccountId": "$.detail.awsAccountId",
  "compliance": "$.detail.newEvaluationResult.complianceType",
  "rule": "$.detail.configRuleName",
  "time": "$.detail.newEvaluationResult.resultRecordedTime",
  "resourceType": "$.detail.resourceType"
}

14.    In the Input Template text box, copy and paste the following template:

"On <time> AWS Config rule <rule> evaluated the <resourceType> with Id <resourceId> in the account <awsAccountId> region <awsRegion> as <compliance>."

"For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration."

15.    Choose Confirm, Next, Next, Create rule.

16.    If an event type is initiated, then you receive an SNS email notification with the custom fields populated from step 14 similar to the following:

"On ExampleTime AWS Config rule ExampleRuleName evaluated the ExampleResourceType with Id ExampleResource_ID in the account ExampleAccount_Id in Region ExampleRegion as ExamplecomplianceType. 

For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=ExampleRegion#/timeline/ExampleResourceType/ExampleResource_ID/configuration"

Create an AWS Config rule

1.    Open the AWS Config console, choose Rules, and then choose Add rule.

2.    In Select rule type, choose Add AWS managed rule.

3.    In AWS Managed Rules, choose acm-certificate-expiration-check, and then choose Next.

4.    In Parameters, for the daysToExpiration key, in Value, enter the number of days that you want the rule to trigger before expiration.

5.    Choose Next, and then choose Add rule.

The AWS Config rule acm-certificate-expiration-check is marked as Noncompliant for certificates nearing the expiration date from the number of days entered in step 4.