ACM – Expiration Notifications and Compliance

Expiration Notifications

• ACM emits daily expiration events starting 45 days before certificate expiration.

• The notification window is configurable.

• Events are sent through Amazon EventBridge, enabling automated responses.

Monitoring and Compliance

• AWS Config provides a managed rule:
• acm-certificate-expiration-check
• Detects certificates approaching expiration.
• Threshold (in days) is configurable for compliance checks.

Example Automation Flow

1. EventBridge rule captures the ACM expiration event.

2. Triggers a Lambda function to process the event.

3. Lambda sends alerts via SNS or queues a task in SQS.

4. AWS Config flags non-compliant certificates based on configured threshold.