Check provider logo

ACM certificate expires in more than the configured threshold of days

acm_certificates_expiration_check

Severityhigh
Serviceacm
by Prowler

ACM certificates are assessed for time to expiration against a configurable threshold. Certificates close to end of validity or already expired are surfaced, covering those attached to services and, if in scope, unused ones.

Risk

Expired or near-expiry TLS certificates can break handshakes, causing service outages and failed API calls (availability). Emergency fixes raise misconfiguration risk, enabling disabled verification or weak ciphers, which allows MITM and data exposure (confidentiality/integrity).

Run this check with Prowler CLI

prowler aws --checks acm_certificates_expiration_check

Run in Prowler Cloud

Recommendation

Adopt automated certificate lifecycle management: prefer ACM-issued certs with auto-renewal, or integrate imports with an automated renewal/rotation pipeline. Track expirations with alerts, enforce least privilege for cert operations, remove unused certs, and test rollovers to avoid downtime.

Remediation

Other
  1. In the AWS Console, open Certificate Manager (ACM)
  2. If the expiring certificate is ACM-issued: select it and complete/restore validation (Create records in Route 53 or add the shown CNAME) so renewal can proceed
  3. If the expiring certificate is imported: click Import a certificate, upload the new certificate and private key, then save
  4. Update the service to use the new/renewed certificate:
    • ALB/NLB: EC2 > Load Balancers > Listeners > Edit > Change certificate to the new ACM certificate
    • CloudFront: Distributions > Edit > Viewer certificate > Select the new ACM certificate
    • API Gateway: Custom domain names > Edit > Choose the new ACM certificate
  5. Verify the old certificate is no longer in use; delete it if not needed

Source Code

Resource Type

AwsCertificateManagerCertificate

References