Ensure that your SSL/TLS certificates stored in AWS IAM are renewed 7 (seven) days before their validity period ends.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
When SSL/TLS certificates are not renewed prior to their expiration date, these become invalid and the communication between the client and the AWS resource that implements the certificates (e.g. AWS ELB) is no longer secure.
Note: This guide is using the Elastic Load Balancer (ELB) as the AWS resource that implements server certificates managed by IAM and is assuming that the ELBs verified are using valid SSL/TLS certificates for their HTTPS/SSL front-end listeners.
To determine if the SSL/TLS certificates currently stored in IAM are about to expire in 7 days, you need to perform the following:Note: Getting the certificates expiration information via AWS Management Console is not currently supported. To request information about the SSL/TLS certificates stored in AWS IAM use the Command Line Interface (CLI).
To renew (replace) the SSL/TLS certificates currently deployed on your Elastic Load Balancers, perform the following: