How to manage certificate lifecycles using ACM event-driven workflows
With AWS Certificate Manager (ACM), you can simplify certificate lifecycle management by using event-driven workflows to notify or take action on expiring TLS certificates in your organization. Using ACM, you can provision, manage, and deploy public and private TLS certificates for use with integrated AWS services like Amazon CloudFront and Elastic Load Balancing (ELB), as well as for your internal resources and infrastructure. For a full list of integrated services, see Services integrated with AWS Certificate Manager.
<p>By implementing event-driven workflows for certificate lifecycle management, you can help increase the visibility of upcoming and actual certificate expirations, and notify application teams that their action is required to renew a certificate. You can also use event-driven workflows to automate provisioning of private certificates to your internal resources, like a web server based on <a href="https://aws.amazon.com/ec2/" target="_blank" rel="noopener">Amazon Elastic Compute Cloud (Amazon EC2)</a>.</p>
<p>In this post, we describe the ACM event types that <a href="https://aws.amazon.com/pm/eventbridge/" target="_blank" rel="noopener">Amazon EventBridge</a> supports. EventBridge is a serverless event router that you can use to build event-driven applications at scale. ACM publishes these events for important occurrences, such as when a certificate becomes available, approaches expiration, or fails to renew. We also highlight example use cases for the event types supported by ACM. Lastly, we show you how to implement an event-driven workflow to notify application teams that they need to take action to renew a certificate for their workloads. You can also use these types of workflows to send the relevant event information to <a href="https://aws.amazon.com/security-hub/" target="_blank" rel="noopener">AWS Security Hub</a> or to initiate certificate automation actions through <a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener">AWS Lambda</a>.</p>
<p>To view a video walkthrough and demo of this workflow, see <a href="https://www.youtube.com/watch?v=oNGb8ZJ6fGE" target="_blank" rel="noopener">AWS Certificate Manager: How to create event-driven certificate workflows</a>.</p>
<h2>ACM event types and selected use cases</h2>
<p>In October 2022, ACM released support for three new event types:</p>
<ul>
<li>ACM Certificate Renewal Action Required</li>
<li>ACM Certificate Expired </li>
<li>ACM Certificate Available </li>
</ul>
<p>Before this release, ACM had a single event type: ACM Certificate Approaching Expiration. By default, ACM creates Certificate Approaching Expiration events daily for active, ACM-issued certificates starting 45 days prior to their expiration. To learn more about the structure of these event types, see <a href="https://docs.aws.amazon.com/acm/latest/userguide/supported-events.html" target="_blank" rel="noopener">Amazon EventBridge support for ACM</a>. The following examples highlight how you can use the different event types in the context of certificate lifecycle operations.</p>
<h3>Notify stakeholders that action is required to complete certificate renewal</h3>
<p>ACM emits an ACM Certificate Renewal Action Required event when customer action must be taken before a certificate can be renewed. For instance, if permissions aren’t appropriately configured to allow ACM to renew private certificates issued from <a href="https://aws.amazon.com/private-ca/" target="_blank" rel="noopener">AWS Private Certificate Authority (AWS Private CA)</a>, ACM will publish this event when automatic renewal fails at 45 days before expiration. Similarly, ACM might not be able to renew a public certificate because an administrator needs to confirm the renewal by email validation, or because Certification Authority Authorization (CAA) record changes prevent automatic renewal through domain validation. ACM will make further renewal attempts at 30 days, 15 days, 3 days, and 1 day before expiration, or until customer action is taken, the certificate expires, or the certificate is no longer eligible for renewal. ACM publishes an event for each renewal attempt.</p>
<p>It’s important to notify the appropriate parties — for example, the Public Key Infrastructure (PKI) team, security engineers, or application developers — that they need to take action to resolve these issues. You might notify them by email, or by integrating with your workflow management system to open a case that the appropriate engineering or support teams can track.</p>
<h3>Notify application teams that a certificate for their workload has expired</h3>
<p>You can use the ACM Certificate Expired event type to notify application teams that a certificate associated with their workload has expired. The teams should quickly investigate and validate that the expired certificate won’t cause an outage or cause application users to see a message stating that a website is insecure, which could impact their trust. To increase visibility for support teams, you can publish this event to Security Hub or a support ticketing system. For an example of how to publish these events as findings in Security Hub, see <a href="https://docs.aws.amazon.com/acm/latest/userguide/event-lambda-response.html" target="_blank" rel="noopener">Responding to an event with a Lambda function</a>.</p>
<h3>Use automation to export and place a renewed private certificate</h3>
<p>ACM sends an ACM Certificate Available event when a managed public or private certificate is ready for use. ACM publishes the event on issuance, renewal, and import. When a private certificate becomes available, you might still need to take action to deploy it to your resources, such as installing the private certificate for use in an EC2 web server. This includes a new private certificate that AWS Private CA issues as part of managed renewal through ACM. You might want to notify the appropriate teams that the new certificate is available for export from ACM, so that they can use the ACM APIs, <a href="https://aws.amazon.com/cli/" target="_blank" rel="noopener">AWS Command Line Interface (AWS CLI)</a>, or <a href="https://aws.amazon.com/console/" target="_blank" rel="noopener">AWS Management Console</a> to export the certificate and manually distribute it to your workload (for example, an EC2-based web server). For integrated services such as ELB, ACM binds the renewed certificate to your resource, and no action is required.</p>
<p>You can also use this event to invoke a Lambda function that exports the private certificate and places it in the appropriate directory for the relevant server, provide it to other serverless resources, or put it in an encrypted <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener">Amazon Simple Storage Service (Amazon S3)</a> bucket to share with a third party for mutual TLS or a similar use case.</p>
<h2>How to build a workflow to notify administrators that action is required to renew a certificate</h2>
<p>In this section, we’ll show you how to configure notifications to alert the appropriate stakeholders that they need to take an action to successfully renew an ACM certificate.</p>
<p>To follow along with this walkthrough, make sure that you have an <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener">AWS Identity and Access Management (IAM)</a> role with the appropriate permissions for EventBridge and <a href="https://aws.amazon.com/sns/" target="_blank" rel="noopener">Amazon Simple Notification Service (Amazon SNS)</a>. When a rule runs in EventBridge, a target associated with that rule is invoked, and in order to make API calls on Amazon SNS, EventBridge needs a <a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-sns-permissions" rel="noopener" target="_blank">resource-based IAM policy</a>.</p>
<p>The following IAM permissions work for the example below (and for tidying up afterwards):</p>
<div class="hide-language">
<pre class="unlimited-height-code"><code class="lang-text">{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“events:”
],
“Effect”: “Allow”,
“Resource”: “arn:aws:events:::”
},
{
“Action”: [
“iam:PassRole”
],
“Effect”: “Allow”,
“Resource”: “*”,
“Condition”: {
“StringLike”: {
“iam:PassedToService”: “events.amazonaws.com”
}
}
}
]
}
The following is a sample <a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-sns-permissions" target="_blank" rel="noopener">resource-based policy</a> that allows EventBridge to publish to an Amazon SNS topic. Make sure to replace <span></span>, <span></span>, and <span></span> with your own data.</p>
<div class="hide-language">
<pre class="unlimited-height-code"><code class="lang-text">{
“Sid”: “PublishEventsToMyTopic”,
“Effect”: “Allow”,
“Principal”: {
“Service”: “events.amazonaws.com”
},
“Action”: “sns:Publish”,
“Resource”: “arn:aws:sns:::”
}
The first step is to create an SNS topic by using the console to link multiple endpoints such as AWS Lambda and Amazon Simple Queue Service (Amazon SQS), or send a notification to an email address.
To create an SNS topic
- Open the Amazon SNS console.
- In the left navigation pane, choose Topics.
- Choose Create Topic.
- For Type, choose Standard.
- Enter a name for the topic, and (optional) enter a display name.
- Choose the triangle next to the Encryption — optional panel title.
- Select the Encryption toggle (optional) to encrypt the topic. This will enable server-side encryption (SSE) to help protect the contents of the messages in Amazon SNS topics.
- For this demonstration, we are going to use the default AWS managed KMS key. Using Amazon SNS with AWS Key Management Service (AWS KMS) provides encryption at rest, and the data keys that encrypt the SNS message data are stored with the data protected. To learn more about SNS data encryption, see Data encryption.
- Keep the defaults for all other settings.
- Choose Create topic.
When the topic has been successfully created, a notification bar appears at the top of the screen, and you will be routed to the page for the newly created topic. Note the Amazon Resource Name (ARN) listed in the Details panel because you’ll need it for the next section.
Next, you need to create a subscription to the topic to set a destination endpoint for the messages that are pushed to the topic to be delivered.
To create a subscription to the topic
- In the Subscriptions section of the SNS topic page you just created, choose Create subscription.
- On the Create subscription page, in the Details section, do the following:
- For Protocol, choose Email.
- For Endpoint, enter the email address where the ACM Certificate Renewal Action Required event alerts should be sent.
- Keep the default Subscription filter policy and Redrive policy settings for this demonstration.
- Choose Create subscription.
- To finalize the subscription, an email will be sent to the email address that you entered as the endpoint. To validate your subscription, choose Confirm Subscription in the email when you receive it.
- A new web browser will open with a message verifying that the subscription status is Confirmed and that you have been successfully subscribed to the SNS topic.
Next, create the EventBridge rule that will be invoked when an ACM Certificate Renewal Action Required event occurs. This rule uses the SNS topic that you just created as a target.
To create an EventBridge rule
- Navigate to the EventBridge console.
- In the left navigation pane, choose Rules.
- Choose Create rule.
- In the Rule detail section, do the following:
- Define the rule by entering a Name and an optional Description.
- In the Event bus dropdown menu, select the default event bus.
- Keep the default values for the rest of the settings.
- Choose Next.
- For Event source, make sure that AWS events or EventBridge partner events is selected, because the event source is ACM.
- In the Sample event panel, under Sample events, choose ACM Certificate Renewal Action Required as the sample event. This helps you verify your event pattern.
- In the Event pattern panel, for Event Source, make sure that AWS services is selected.
- For AWS service, choose Certificate Manager.
- Under Event type, choose ACM Certificate Renewal Action Required.
- Choose Test pattern.
- In the Event pattern section, a notification will appear stating Sample event matched the event pattern to confirm that the correct event pattern was created.
- Choose Next.
- In the Target 1 panel, do the following:
- For Target types, make sure that AWS service is selected.
- Under Select a target, choose SNS topic.
- In the Topic dropdown list, choose your desired topic.
- Choose Next.
- (Optional) Add tags to the topic.
- Choose Next.
- Review the settings for the rule, and then choose Create rule.
Now you are listening to this event and will be notified when a customer action must be taken before a certificate can be renewed.
For another example of how to use Amazon SNS and email notifications, see How to monitor expirations of imported certificates in AWS Certificate Manager (ACM). For an example of how to use Lambda to publish findings to Security Hub to provide visibility to administrators and security teams, see Responding to an event with a Lambda function. Other options for responding to this event include invoking a Lambda function to export and distribute private certificates, or integrating with a messaging or collaboration tool for ChatOps.
Conclusion
In this blog post, you learned about the new EventBridge event types for ACM, and some example use cases for each of these event types. You also learned how to use these event types to create a workflow with EventBridge and Amazon SNS that notifies the appropriate stakeholders when they need to take action, so that ACM can automatically renew a TLS certificate.
By using these events to increase awareness of upcoming certificate lifecycle events, you can make it simpler to manage TLS certificates across your organization. For more information about certificate management on AWS, see the ACM documentation or get started using ACM today in the AWS Management Console.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Want more AWS Security news? Follow us on Twitter.
<!-- '"` -->