turbot/ibm_compliance

Control: 10.1 Ensure certificates generated through IBM Cloud Certificate Manager are automatically renewed before expiration

Description

You can use the IBM Cloud Certificate Manager service dashboard to manage certificates that you obtain from third-party issuers, or order from Certificate Manager, to use with your IBM cloud-based apps or services.

You can manually or automatically renew certificates that you order through Certificate Manager. You can also disable the auto-renewal feature after you enable it. You can set a certificate to automatically renew while you're ordering. Or, you can enable auto-renewal after it's configured.

Remediation

From Console

  1. Log in to IBM Cloud
  2. Click the Menu icon and select Resource List
  3. On the Resource List page under Services, perform the following for each Certificate Manager instance that you have provisioned.
  • a. Click on the Certificate Manager instance to view the configuration for the service.
  • b. In order to renew the certificate manually click on the options menu and select Renew.
  • c. Note certificates manually imported into Certificate Manager cannot be automatically renewed. In order to renew those certificates click the options menu and select Reimport.

The process can be automated by configuring Slack or Webhook based expiration notifications in the Notifications section of Certificate Manager Dashboard. From the Certificate Manager instance configuration screen,

  1. Click Notifications.
  2. Click the Create button.
  3. Select the Channel type and enter in the Channel endpoint URL.
  4. Ensure the Enable/Disable toggle is set to On.
  5. Click the Save icon.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_10_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_10_1 --share

SQL

This control uses a named query:

certificate_with_auto_renew_enabled

Tags