Certificate used by Elastic Load Balancers in an unrecognized AWS account?


I'm deleting an obsolete certificate, but Cert Manager shows it's in use by 5 load balancers. I scoured my account for services using these load balancers, but found nothing. Then I noticed the ARNs indicate the load balancers are in a different AWS account.

I don't recognize the account number, nor do I recall making the cert available to another account. I'm concerned I may have been hacked.

How do I figure out who/what is using the certs? How can I remove these dependencies so I can delete the cert?

Thanks, Sean

3 Answers
Accepted Answer

These ARNs may belong to ALBs created by regional API Gateway endpoints.


answered 2 years ago


You cannot delete an ACM certificate that is being used by another AWS service. To delete a certificate that is in use, you must first remove the certificate association. This is done using the console or CLI for the associated service. Open the ACM console at https://console.aws.amazon.com/acm/

Link- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-delete.html

Similarly, defining a custom endpoint for your domain in Amazon ElasticSearch Service (Amazon ES) creates an Application Load Balancer. The Application Load Balancer is owned by the ElasticSearch service, not by your account. The ACM certificate provided with creating the custom endpoint is associated with the Application Load Balancer.

The below link will help you locate the certificate: https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-resources/

Gathering details about the specific certificate might also be of use, and that can be done by following this link: https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-describe.html

Hope this helps. Thanks for reaching out.

profile pictureAWS
answered 2 years ago

Upon further research, the ARNs are Gateway API regional endpoints using AWS system accounts, for example: arn:aws:elasticloadbalancing:us-east-1:392220576650:loadbalancer/app/prod-iad-1-cdtls-1-2-626/b90fa9e7c54b1b67

My Gateway APIs in that region do NOT use this cert for custom domains.

How can I determine if these are references to deleted or extant APIs? The cert expires soon, so I want to avoid things breaking when it does.

If they do reference deleted APIs, how can I remove the cert?

Thanks, Sean

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions