Ensure that all the requests made during SSL/TLS certificate issue or renewal process are validated. These requests are managed within your account by the Amazon Certificate Manager (ACM), an AWS service that lets you provision, deploy and maintain SSL/TLS certificates for use with other AWS resources such as ELB load balancers, CloudFront distributions or APIs via Amazon API Gateway.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When your Amazon ACM certificates are not validated on time (i.e. within 72 hours after the request is made), these become invalid and you will have to request new SSL/TLS certificates, which could cause interruption to your applications or services.
Note: AWS Certificate Manager automatically renews certificates issued by the service that are used with other AWS resources. However, the ACM service does not renew automatically certificates that are not currently in use (i.e. not associated anymore with other AWS resources) so the renewal process (including validation) must be done manually before these certificates become invalid.
To determine if there are any AWS ACM certificate requests that are not currently validated within your AWS account, perform the following:
To resend the domain validation email for any invalid SSL/TLS certificates using Amazon Certificate Manager console and API (CLI), perform the following actions: