Ensure that all the requests made during SSL/TLS certificate issue or renewal process are validated. These requests are managed within your account by the Amazon Certificate Manager (ACM), an AWS service that lets you provision, deploy and maintain SSL/TLS certificates for use with other AWS resources such as ELB load balancers, CloudFront distributions or APIs via Amazon API Gateway.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
excellence
When your Amazon ACM certificates are not validated on time (i.e. within 72 hours after the request is made), these become invalid and you will have to request new SSL/TLS certificates, which could cause interruption to your applications or services.
Note: AWS Certificate Manager automatically renews certificates issued by the service that are used with other AWS resources. However, the ACM service does not renew automatically certificates that are not currently in use (i.e. not associated anymore with other AWS resources) so the renewal process (including validation) must be done manually before these certificates become invalid.
Audit
To determine if there are any AWS ACM certificate requests that are not currently validated within your AWS account, perform the following:
Remediation / Resolution
To resend the domain validation email for any invalid SSL/TLS certificates using Amazon Certificate Manager console and API (CLI), perform the following actions:
References
- AWS Documentation
- What Is AWS Certificate Manager?
- ACM Certificate Characteristics
- Check a Certificate's Renewal Status
- Request a Domain Validation Email for Certificate Renewal
- AWS Command Line Interface (CLI) Documentation
- acm
- list-certificates
- describe-certificate
- resend-validation-email