ACM Expiration Monitoring

Oguzhan
2 min readFeb 24, 2023

I want to talk about Certificate expiry monitoring. There are many different ways possible to check certificate expiration to ACM. I tried different ways, like Lambda function, and Eventbridge. In this case, we have organizations. It means has a lot of accounts here and also a possible new one creates. Let’s see how we designed this.

ACM Expiration Check Diagram

In the above diagram, the sample has one organization and one root account and n different accounts. Also, each account can be a possible certificate in ACM.

How it’s working?

Firstly, we chose AWS Config, because config allows organization-level tracing. In this method
AWS Config side, we deployed an organization conformance pack for ACM expiration control, and the daysToExpiration parameter set 10 days for our environment. By the way, we already update each certificate every 90 days(let’s encrypt). But we sometimes miss about rate limit or another hidden case.

Parameters:
daysToExpiration:
Type: String
Resources:
ACMExpireCheck:
Type: "AWS::Config::ConfigRule"
Properties:
ConfigRuleName: "acm-certificate-expiration-check"
Scope:
ComplianceResourceTypes:
- "AWS::ACM::Certificate"
Description: "A config rule that checks whether ACM Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import."
Source:
Owner: "AWS"
SourceIdentifier: "ACM_CERTIFICATE_EXPIRATION_CHECK"
MaximumExecutionFrequency: "TwentyFour_Hours"

When the config conformance pack is ready for organization, the second case is important, because the config service default is passive, we need to enable config service. In this case, manual operation can be complicated. We choose to terraform for this case.

Try to bridge an event

On the Eventbridge side, I followed the below document;

Conclusion

For this reason, the map maybe looks complicated, also as I mentioned before there are many possible different ways could be, but we try to handle best practice, and best practices sometimes can not suitable for all organizations, because every organization have a different lifecycle. We have dozens of accounts and a new account is created every month.

--

--

Oguzhan

Solutions Architect, #AWS, food, chess, books and cheese lover. Philosophy 101.