Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS ACM Certificates Validity

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (not acceptable risk)
Rule ID: ACM-005

Ensure that all the requests made during SSL/TLS certificate issue or renewal process are validated. These requests are managed within your account by the Amazon Certificate Manager (ACM), an AWS service that lets you provision, deploy and maintain SSL/TLS certificates for use with other AWS resources such as ELB load balancers, CloudFront distributions or APIs via Amazon API Gateway.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Operational
excellence

When your Amazon ACM certificates are not validated on time (i.e. within 72 hours after the request is made), these become invalid and you will have to request new SSL/TLS certificates, which could cause interruption to your applications or services.

Note: AWS Certificate Manager automatically renews certificates issued by the service that are used with other AWS resources. However, the ACM service does not renew automatically certificates that are not currently in use (i.e. not associated anymore with other AWS resources) so the renewal process (including validation) must be done manually before these certificates become invalid.


Audit

To determine if there are any AWS ACM certificate requests that are not currently validated within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS ACM dashboard at https://console.aws.amazon.com/acm/.

03 Select the SSL/TLS certificate that you want to examine and click on the Show/Hide Details button to expand the panel with the certificate details.

04 Inside the Status section, verify the SSL/TLS certificate current status. If the Status attribute value is set to Pending validation and the "Validation not complete" warning message is displayed, the issue/renewal request for the selected SSL/TLS certificate was not validated (i.e. ACM couldn't validate one or more domain names within the certificate), therefore you must use the ACM service to resend the domain validation email (see Remediation/Resolution section).

05 Repeat step no. 3 and 4 to check the validation status for other SSL/TLS certificates, managed by AWS ACM within the current region.

06 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-certificates command (OSX/Linux/UNIX) to list all SSL/TLS certificates managed by Amazon Certificate Manager (ACM) within the selected region:

aws acm list-certificates
	--region us-east-1

02 The command output should return the metadata (domain name and ARN) for all existing SSL/TLS certificates currently available in US East (N. Virginia) region:

{

    "CertificateSummaryList": [
        {
            "CertificateArn": "arn:aws:acm:us-east-1:1234567890:
             certificate/f1c6999d-b027-4449-9694-55ce71b3655c",
            "DomainName": "cloudconformity.com"
        }
    ]
}

03 Run describe-certificate command (OSX/Linux/UNIX) using the ARN of the certificate returned at the previous step as identifier and custom query filters to return the current status set for the selected SSL/TLS certificate:

aws acm describe-certificate
	--region us-east-1
	--certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/f1c6999d-b027-4449-9694-55ce71b3655c
	--query 'Certificate.Status'

04 The command output should return the status for the selected certificate:

"PENDING_VALIDATION"

If the current status is set to "PENDING_VALIDATION" (as shown in the example above), the issue/renewal request for the selected SSL/TLS certificate was not validated, therefore you need to resend the domain validation email or the certificate won't be issued/renewed (see Remediation/Resolution section).

05 Repeat step no. 3 and 4 to check the validation status for other SSL/TLS certificates, managed by AWS ACM in the current region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To resend the domain validation email for any invalid SSL/TLS certificates using Amazon Certificate Manager console and API (CLI), perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS ACM dashboard at https://console.aws.amazon.com/acm/.

03 Select the SSL/TLS certificate that is not currently validated (see Audit section part I to identify the right certificate).

04 Click the Actions button from the dashboard top menu and select Resend validation email option from the dropdown menu.

05 Once the resend validation request is sent, an email will be generated to the domain registrant, administrative, and technical contacts requesting verification. A copy of this validation email will also be sent to pre-determined email addresses such as admin@yourdomain.com, administrator@yourdomain.com, postmaster@yourdomain.com, webmaster@yourdomain.com and hostmaster@yourdomain.com. After all hosts in the request are approved (by clicking I Approve button available on the Amazon Certificate Approvals link provided by AWS within the validation email), the selected SSL/TLS certificate will be issued/renewed.

06 Repeat steps no. 3 – 6 to validate other pending certificates, managed by AWS ACM in the selected region.

07 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run resend-validation-email command (OSX/Linux/UNIX) using the ARN of the invalid SSL/TLS certificate (see Audit section part II to get the right resource ARN) to resend the email that requests domain ownership validation. Change the fully qualified domain name (--domain parameter value) and the base validation domain that will act as the suffix of the email addresses (--validation-domain parameter value) with your own domain (the command does not produce an output):

aws acm resend-validation-email
	--certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/f1c6999d-b027-4449-9694-55ce71b3655c
	--domain www.cloudconformity.com
	--validation-domain cloudconformity.com

02 Once the resend validation request is sent, an email will be generated to the domain registrant, administrative, and technical contacts requesting verification. After resend validation request is sent, an email will be generated to the domain registrant, administrative, and technical contacts requesting verification. To approve the ACM certificate before it can be issued/renewed, click the link available within the email to navigate to the Amazon Certificate Approvals page then click I Approve button.

03 Repeat step no. 1 and 2 to validate other pending certificates, managed by AWS ACM service in the selected region.

04 Change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.

References

Publication date Jun 12, 2017