What is the MOST operationally efficient way to meet this requirement?

By:
On:
In: SCS-C01
Tagged:
With: 0 Comments
A company has public certificates that are managed by AWS Certificate Manager (ACM).The certificates are either imported certificates or managed certificates from ACM with mixed validation methods.A security engineer needs to design a monitoring solution to provide alerts by email when a certificate is approaching its expiration date.

What is the MOST operationally efficient way to meet this requirement?

Create an AWS Lambda function to list al certificates and to go through each certificate to describe the certificate by using the AW’S SDK. Filter on the NotAfter attribute and send an email notification. Use an Amazon EventBridge (Amazon CloudWatch Events) rate expression to schedule the Lambda function to run daily.

Create an Amazon CloudWatch alarm. Add all the certificate ARNs in the AWS/CertificateManager namespace to the DaysToExpiry metric. Configure the alarm to publish a notification to an Amazon Simple Notification Service (Amazon SNS) topic when the value for the DaysToExpiry metric is less than or equal to 31.

Set up AWS Security Hub. Turn on the AWS Foundational Security Best Practices standard with integrated ACM to send findings. Configure and use a custom action by creating a rule to match the pattern from the ACM findings on the NotBefore attribute as the event source. Create an Amazon Simple Notification Service (Amazon SNS) top as the target.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule by using a predefined pattern for ACM. Choose the metric in the ACM Certficate Approaching Expiration event as the event pattern. Create an Amazon Simple Notification Service (Amazon SNS) topic as the target.

Explanations:

While this option creates a Lambda function to check certificate expiration, it requires manual maintenance and can be less efficient due to the need for constant polling of the certificates. It also does not take advantage of AWS services that can provide a more streamlined solution.

Amazon CloudWatch does not support the capability to add certificate ARNs to the DaysToExpiry metric directly. The DaysToExpiry metric is not user-configurable in that manner, making this approach impractical for monitoring certificate expiration.

Although AWS Security Hub can integrate with ACM, it is primarily focused on security best practices and does not provide real-time alerts for certificate expiration in a straightforward manner. Setting up a custom action based on ACM findings requires additional complexity and may not trigger alerts in a timely manner.

This option effectively uses Amazon EventBridge to monitor ACM certificate expiration events. By setting up a rule for ACM Certificate Approaching Expiration events, it allows for immediate notification through an SNS topic, providing an efficient and automated alerting solution without manual intervention.

Leave a Reply

Your email address will not be published. Required fields are marked *

18 − 10 =