How can I be notified when my ACM imported certificates are near expiration?

Short description

ACM doesn't provide managed renewal for imported certificates. To renew an imported certificate, first request a new certificate from your certificate issuer. Then, manually reimport the certificate into ACM.

To get a notification that your certificate is about to expire, use one of the following methods:

• Use the ACM API in Amazon EventBridge to configure the ACM Certificate Approaching Expiration event.
• Create a custom EventBridge rule to receive email notifications when certificates are near the expiration date.
• Use AWS Config to check for certificates that are near the expiration date.
• Create an Amazon CloudWatch alarm based on a static threshold when certificates are near the expiration date.

Resolution

Configure the "ACM Certificate Approaching Expiration" event in EventBridge

For events that are near their expiration date, ACM sends notifications through CloudWatch. By default, the ACM Certificate Approaching Expiration event sends notifications 45 days before an event's expiration. To configure the timing on this notification, first add the event as a rule in EventBridge.

Complete the following steps:

1. Open the EventBridge console.
2. In the navigation pane, choose Rules, and then choose Create rule.
3. Enter a Name for your rule. The Description field is optional.
   Note: You must uniquely name rules that are in the same AWS Region and on the same event bus.
4. For Event bus, select the event bus. To match the rule with events from your AWS account, select AWS default event bus so that the event goes to your account's default event bus.
5. For Rule type, choose Rule with an event pattern, and then choose Next.
6. For Event source, choose AWS events or EventBridge partner events.
7. For Creation method, choose Use pattern form option.
8. In the Event pattern section, complete the following steps:
   For Event source, choose AWS Services.
   For AWS service, choose Certificate Manager.
   For Event type, choose ACM Certificate Approaching Expiration.
9. Choose Next.
10. For Target types, choose AWS Service.
11. For Select a target, select SNS topic, and then select the Amazon Simple Notification Service (Amazon SNS) topic.
12. Choose Next.
13. (Optional) Add tags.
14. Choose Next.
15. Review the rule's details, and then choose Create rule.

After you create the rule, you can change the timing of the expiration notification. In the ACM API's PutAccountConfiguration action, enter a value between 1-45 for DaysBeforeExpiry.

Note: To set up notifications for more than 45 days before an event's expiration, use the following methods.

Create a custom EventBridge rule

Use a custom event pattern with an EventBridge rule to match the acm-certificate-expiration-check AWS Config managed rule. Then, route the response to an Amazon SNS topic.

Complete the following steps:

1. If you didn't create an Amazon SNS topic, then create one.
   Note: The Amazon SNS topic must be in the same AWS Region as your AWS Config service.

2. Open the EventBridge console.

3. Choose Rules, and then choose Create rule.

4. For Name, enter a name for your rule.

5. For Rule type, choose Rule with and event pattern, and then choose Next.

6. For Event source, choose AWS events or EventBridge partner events.

7. For Event pattern, choose Custom patterns (JSON editor).

8. In the Event pattern preview pane, enter the following event pattern:

   {  "source": [
       "aws.config"
     ],
     "detail-type": [
       "Config Rules Compliance Change"
     ],
     "detail": {
       "messageType": [
         "ComplianceChangeNotification"
       ],
       "configRuleName": [
         "acm-certificate-expiration-check"
       ],
       "resourceType": [
         "AWS::ACM::Certificate"
       ],
       "newEvaluationResult": {
         "complianceType": [
           "NON_COMPLIANT"
         ]
       }
     }
   }

9. Choose Next.

10. For Select a target, choose SNS topic.

11. For Topic, choose your SNS topic.

12. In the Configure target input dropdown list, choose Input transformer.

13. Choose Configure input transformer.

14. In the Input path text box, enter the following path:

    {  "awsRegion": "$.detail.awsRegion",
      "resourceId": "$.detail.resourceId",
      "awsAccountId": "$.detail.awsAccountId",
      "compliance": "$.detail.newEvaluationResult.complianceType",
      "rule": "$.detail.configRuleName",
      "time": "$.detail.newEvaluationResult.resultRecordedTime",
      "resourceType": "$.detail.resourceType"
    }
    

15. In the Input template text box, enter the following template:

    "On <time> AWS Config rule <rule> evaluated the <resourceType> with Id <resourceId> in the account <awsAccountId> region <awsRegion> as <compliance>."
    "For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=<awsRegion>#/timeline/<resourceType>/<resourceId>/configuration."

16. Choose Confirm, and then choose Next.

17. Choose Next again, and then choose Create rule.

If an event type is initiated, then you receive an SNS email notification with the custom fields populated from step 14.

Example email notification:

"On ExampleTime AWS Config rule ExampleRuleName evaluated the ExampleResourceType with Id ExampleResource_ID in the account ExampleAccount_Id in Region ExampleRegion as ExamplecomplianceType.
For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=ExampleRegion#/timeline/ExampleResourceType/ExampleResource_ID/configuration"

Create an AWS Config rule

First, create the Amazon SNS topic and EventBridge rule so that noncompliant certificates invoke a notification before the expiration date.

Note: When you use AWS Config, you incur charges. For more information, see AWS Config pricing.

To create the AWS Config rule, complete the following steps:

1. Open the AWS Config console.
2. Choose Rules, and then choose Add rule.
3. In Select rule type, choose Add AWS managed rule.
4. For AWS Managed Rules, choose acm-certificate-expiration-check, and then choose Next.
5. On the Parameters page, for Value, enter the number of days that you want the rule to invoke in the daysToExpiration key.
   Note: For certificates that are near the expiration date from the number of days that you enter, the acm-certificate-expiration-check AWS Config rule is marked as Noncompliant.
6. Choose Next, and then choose Add rule.

Create a CloudWatch alarm based on a static threshold

Complete the following steps:

1. Open the CloudWatch console.
2. In the navigation pane, choose Alarms, and then choose All alarms.
3. Choose Create alarm, and then choose Select metric.
4. Choose Certificate Manager, and then choose Usage.
5. On the Metrics page, select the metric, and then choose Select metric.
6. On the Specify metric and conditions page, for Statistic, choose Minimum.
7. For Period, choose 1 day.
8. For Whenever AllCount is..., choose Lower/Equal, and then set than... to the number of days that you want the alarm to run before expiration.
9. Choose Next.
10. For Notification, choose In alarm.
11. For Send a notification to the following SNS topic, choose Select an existing SNS topic, or Create new topic, and then choose Next.
12. Enter an alarm name, choose Next.
13. Choose Create alarm.

For more information, see Create a CloudWatch alarm based on a static threshold.

Related information

Issuing and managing certificates

How can I be notified when an AWS resource is non-compliant using AWS Config?

Security best practices for AWS Config