Checks whether the number of days until an SSL certificate expires on an Application Load Balancer (ALB) listener exceeds the configured threshold. If the remaining days are within the threshold, the evaluation result is Non-compliant.
Scenarios
Use this rule to detect ALB listeners whose SSL certificates are approaching expiration. Early detection lets you renew certificates before they expire and cause HTTPS listener failures.
Risk level
Default risk level: high.
You can change the risk level when applying this rule to match your business requirements.
Compliance evaluation logic
The rule checks each ALB listener's SSL certificate. If the number of days between today and the certificate's expiration date is greater than the configured
daysthreshold, the evaluation result is Compliant. If it is equal to or less than the threshold, the evaluation result is Non-compliant.This rule does not check CA certificates associated with ALB instances.
Rule details
|
Parameter |
Description |
|
Rule template name |
alb-all-listener-certificate-expired-check |
|
Rule template identifier |
|
|
Tag |
ALB |
|
Automatic remediation |
Not supported |
|
Invoke type |
Periodic: every 24 hours |
|
Supported resource type |
ALB instance (ACS::ALB::LoadBalancer) |
|
Input parameter |
Parameter: |
Incompliance remediation
If a certificate on an ALB listener has fewer days remaining than the configured days threshold, renew or replace that certificate. For instructions, see Manage certificates.