Manage Imported Certificates Expiry in ACM (using CLoudWatch Events + Lambda) Implement using CLOUD FORMATION

First of all, In addition to requesting SSL/TLS certificates provided by AWS Certificate Manager (ACM), you can import certificates that you obtained outside of AWS. You might do this because you already have a certificate from a third-party certificate authority (CA), or because you have application-specific requirements that are not met by ACM issued certificates.

One thing to note:

ACM does not provide managed renewal for imported certificates.

You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can simplify this task by using Amazon CloudWatch Events to send notices when your imported certificates approach expiration. For more information, see Using CloudWatch Events.

– docs.aws.amazon.com

The above diagram shows the complete flow but we will just be covering the part of invoking the Lambda via Event Rule and create both rule and lambda via CloudFormation.

Understanding the Event.

An event such as Lambda receives is displayed under 

{
  "version": "0",
  "id": "9c95e8e4-96a4-ef3f-b739-b6aa5b193afb",
  "detail-type": "ACM Certificate Approaching Expiration",
  "source": "aws.acm",
  "account": "123456789012",
  "time": "2020-09-30T06:51:08Z",
  "region": "us-east-1",
  "resources": [
    "arn:aws:acm:us-east-1:123456789012:certificate/61f50cd4-45b9-4259-b049-d0a53682fa4b"
  ],
  "detail": {
    "DaysToExpiry": 31,
    "CommonName": "My Awesome Service"
  }
}

Creating the Lambda Event Handler

Currently we do not perform any action in Lambda but you will have to have a IAM role attached to the Lambda so that the Lambda can perform the desired action.

We will be creating the a simple lambda function to just log the event now. We can modify the code to do whatever we want.

AWSTemplateFormatVersion: '2010-09-09'
Description: Lambda function with cfn-response.
Resources:
  primer:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: nodejs12.x
      Role: arn:aws:iam::123456789012:role/lambda-role
      Handler: index.handler
      Code:
        ZipFile: |
          var aws = require('aws-sdk')
          var response = require('cfn-response')
          exports.handler = function(event, context) {
              console.log("REQUEST RECEIVED:\n" + JSON.stringify(event))
// check the cetificate using the arn. event['resource'][0]
          }
      Description: Invoke a function when certificate expiry.
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - <SecurityGroupID>
        SubnetIds:
          - <subnetid>
          - <subnetid>
      

<SecurityGroupId>– replace with you security group

<subnetid> – replace with your subnet ids

event[‘resource’][0] – this is where the arn is, in the event. We can make a request to ACM describe-certificate

event[‘DaysToExpiry’] – This mentions the day pending for the cert to expire.

We can not get the certificate issues from our authority and then reimport is using the same arn.

Using CloudWatch Events AND Permissions

You can create CloudWatch rules based on these events and use the CloudWatch console to configure actions that take place when the events are detected. 

Creating the Event and the attach permission for rule to Invoke the Lambda the using CloudFormation

AWSTemplateFormatVersion: "2010-09-09"
Description: "A CloudWatch Event Rule and permission"
Resources:
  EventRule:
    Type: "AWS::Events::Rule"
    Properties:
      Name: "detect-acm-certificate-expiry-events"
      Description: "A CloudWatch Event Rule that sends a notification to provide notice of approaching expiration of an ACM certificate."
      State: "ENABLED"
      Targets:
        - Arn: ""
          Id: <LambdaARN>
      EventPattern:
        detail-type:
          - "ACM Certificate Approaching Expiration"
        source:
          - "aws.acm"
  LambdaInvokePermissionsAcmExpiryRule:
    Type: "AWS::Lambda::Permission"
    Properties:
      FunctionName:
        Fn::GetAtt:
          - <LambdaARN>
          - "Arn"
      Action: "lambda:InvokeFunction"
      Principal: "events.amazonaws.com"

<LambdaARN> – Replace this with the above create Lambda ARN.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: