AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I get notified when my ACM imported certificates are near expiration?

6 minute read

I imported an AWS Certificate Manager (ACM) certificate, and I want a reminder to reimport the certificate before it expires.

Short description

To get a notification that your certificate is about to expire, use one of the following methods:

Configure the ACM Certificate Approaching Expiration event.
Create a custom Amazon EventBridge rule and AWS Config rule.
Create an Amazon CloudWatch alarm.

By default, the ACM Certificate Approaching Expiration event sends notifications 45 days before an event's expiration. You can change the day, but you can't exceed 45 days. To set up notifications for more than 45 days before an event's expiration, use a custom EventBridge rule or CloudWatch alarm.

Resolution

Configure the ACM Certificate Approaching Expiration event in EventBridge

Prerequisite: If you don't have an Amazon Simple Notification Service (Amazon SNS) topic, then create a topic.

Complete the following steps:

Open the EventBridge console.
In the navigation pane, choose Rules, and then choose Create rule.
Enter a Name for your rule.
Note: You must uniquely name rules that are in the same AWS Region and on the same event bus.
For Event bus, select the event bus. To match the rule with events from your AWS account, select AWS default event bus so that the event goes to your account's default event bus.
For Rule type, choose Rule with an event pattern, and then choose Next.
For Event source, choose AWS events or EventBridge partner events.
For Creation method, choose Use pattern form option.
In the Event pattern section, complete the following steps:
For Event source, choose AWS Services.
For AWS service, choose Certificate Manager.
For Event type, choose ACM Certificate Approaching Expiration.
Choose Next.
For Target types, choose AWS Service.
For Select a target, choose SNS topic, and then select the Amazon SNS topic.
Choose Next.
(Optional) Add tags.
Choose Next.
Review the rule's details, and then choose Create rule.

After you create the rule, you can change the date that you receive the expiration notification. In the PutAccountConfiguration ACM API operation, enter a value between 1-45 for DaysBeforeExpiry.

Create a custom EventBridge rule and AWS Config rule

Prerequisite: If you don't have an Amazon SNS topic, then create a topic.

Use a custom event pattern with an EventBridge rule to match the acm-certificate-expiration-check AWS Config managed rule. Then, route the response to an Amazon SNS topic. The Amazon SNS topic must be in the same AWS Region as your AWS Config service.

Note: When you use AWS Config, you incur charges. For more information, see AWS Config pricing.

Create the EventBridge rule

Complete the following steps:

Open the EventBridge console.
Choose Rules, and then choose Create rule.
For Name, enter a name for your rule.
For Rule type, choose Rule with and event pattern, and then choose Next.
For Event source, choose AWS events or EventBridge partner events.
For Event pattern, choose Custom patterns (JSON editor).

In the Event pattern preview pane, enter the following event pattern:

{  "source": [    "aws.config"
  ],
  "detail-type": [
    "Config Rules Compliance Change"
  ],
  "detail": {
    "messageType": [
      "ComplianceChangeNotification"
    ],
    "configRuleName": [
      "acm-certificate-expiration-check"
    ],
    "resourceType": [
      "AWS::ACM::Certificate"
    ],
    "newEvaluationResult": {
      "complianceType": [
        "NON_COMPLIANT"
      ]
    }
  }
}

Choose Next.
For Select a target, choose SNS topic.
For Topic, select your SNS topic.
In the Configure target input dropdown list, choose Input transformer.
Choose Configure input transformer.

In the Input path text box, enter the following path:

{  "awsRegion": "$.detail.awsRegion",  "resourceId": "$.detail.resourceId",
  "awsAccountId": "$.detail.awsAccountId",
  "compliance": "$.detail.newEvaluationResult.complianceType",
  "rule": "$.detail.configRuleName",
  "time": "$.detail.newEvaluationResult.resultRecordedTime",
  "resourceType": "$.detail.resourceType"
}

In the Template text box, enter the following template:

"On example_time AWS Config rule example_rule evaluated the example_resourceType with Id example_resourceId in the account example_awsAccountId region example_awsRegion as example_compliancetype.""For more details open the AWS Config console at https://console.aws.amazon.com/config/home?region=awsRegion#/timeline/resourceType/resourceId/configuration."

Note: Replace the example values with your values.

Choose Confirm, and then choose Next.
Choose Next again, and then choose Create rule.

If ACM activates an event type, then you receive an SNS email notification.

Create the AWS Config rule

To create the AWS Config rule, complete the following steps:

Open the AWS Config console.
In the navigation pane, choose Rules, and then choose Add rule.
In Select rule type, choose Add AWS managed rule.
For AWS Managed Rules, choose acm-certificate-expiration-check, and then choose Next.
On the Parameters page, for Value, enter the number of days that you want the rule to invoke in the daysToExpiration key.
Note: If certificates are near the expiration date from the number of days that you enter, then the acm-certificate-expiration-check rule identifies the rule as NON_COMPLIANT.
Choose Next, and then choose Add rule.

Create a CloudWatch alarm based on a static threshold

Complete the following steps:

Open the CloudWatch console.
In the navigation pane, choose Alarms, and then choose All alarms.
Choose Create alarm, and then choose Select metric.
Choose Certificate Manager, and then choose Certificate Metrics.
On the Metrics page, select the metric, and then choose Select metric.
On the Specify metric and conditions page, for Statistic, choose Minimum.
For Period, choose 1 day.
For Whenever DaysToExpiry is..., choose Lower/Equal, and then set than... to the number of days that you want the alarm to run before expiration.
Choose Next.
For Notification, choose In alarm.
For Send a notification to the following SNS topic, choose Select an existing SNS topic, or Create new topic, and then choose Next.
Enter an alarm name, choose Next.
Choose Create alarm.

For more information, see Create a CloudWatch alarm based on a static threshold.

Related information

Reimport a certificate

Getting started with AWS Certificate Manager certificates

How can I use AWS Config to be notified when an AWS resource is non-compliant?

Security best practices for AWS Config

Topics: Security, Identity, & Compliance
Tags: AWS Certificate Manager
Language: English

AWS OFFICIALUpdated 4 months ago

No comments

Relevant content

ACM Notifications for expiring certificates
Accepted Answer
Rajeev Sakhuja
asked 6 years ago
Unable to get notification for ACM Soon Expiring Cert
McDs23
asked 3 years ago
HELP please! URG: SSL/TLS certificate from AWS Certificate Manager (ACM) in my AWS account expired
Ale
asked 2 years ago
Getting "URGENT Action Required - Your certificate renewal" emails, but certificate has status "Issued" in AWS ACM console
jmcquaid
asked 3 years ago
Verify alert email associated with expiring TLS certificates in ACM
Accepted Answer
joeyp
asked 3 years ago
How do I get notified when my ACM certificate is about to be renewed?
AWS OFFICIALUpdated 2 years ago
How do I get notified when the certificate associated to the Client VPN endpoint is about to expire?
AWS OFFICIALUpdated 2 years ago
How do I get notified when my CRL associated with Client VPN endpoint is about to expire?
AWS OFFICIALUpdated 2 years ago
How can I resolve certificate expired or "invalid certificate" errors when invoking an API Gateway API using a custom domain name?
AWS OFFICIALUpdated a year ago
AWS re:Post Knowledge Center Spotlight: AWS Certificate Manager (ACM)
EXPERT
AWS Official
published 2 years ago