All Products
Search
Document Center

Cloud Config:alb-all-listener-certificate-expired-check

Last Updated:Jun 08, 2026

Checks whether the number of days until an SSL certificate expires on an Application Load Balancer (ALB) listener exceeds the configured threshold. If the remaining days are within the threshold, the evaluation result is Non-compliant.

Scenarios

Use this rule to detect ALB listeners whose SSL certificates are approaching expiration. Early detection lets you renew certificates before they expire and cause HTTPS listener failures.

Risk level

Default risk level: high.

You can change the risk level when applying this rule to match your business requirements.

Compliance evaluation logic

  • The rule checks each ALB listener's SSL certificate. If the number of days between today and the certificate's expiration date is greater than the configured days threshold, the evaluation result is Compliant. If it is equal to or less than the threshold, the evaluation result is Non-compliant.

  • This rule does not check CA certificates associated with ALB instances.

Rule details

Parameter

Description

Rule template name

alb-all-listener-certificate-expired-check

Rule template identifier

alb-all-listener-certificate-expired-check

Tag

ALB

Automatic remediation

Not supported

Invoke type

Periodic: every 24 hours

Supported resource type

ALB instance (ACS::ALB::LoadBalancer)

Input parameter

Parameter: days (integer). The minimum number of days before SSL certificate expiration for a resource to be compliant. Default value: 30.

Incompliance remediation

If a certificate on an ALB listener has fewer days remaining than the configured days threshold, renew or replace that certificate. For instructions, see Manage certificates.