
Control: 1 Imported ACM certificates should be renewed after a specified time period


This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager.

Certificates provided by ACM are automatically renewed. If you're using certificates provided by ACM, you do not need to rotate SSL/TLS certificates. ACM manages certificate renewals for you.

ACM does not automatically renew certificates that you import. You must renew imported certificates manually.


ACM provides managed renewal for your Amazon issued SSL/TLS certificates. This includes both public and private certificates issued by using ACM. If possible, ACM renews your certificates automatically with no action required from you. A certificate is eligible for renewal if it is associated with another AWS service, such as Elastic Load Balancing or Amazon CloudFront. It can also be renewed if it has been exported since being issued or last renewed.

If ACM cannot automatically validate one or more domain names in a certificate, ACM notifies the domain owner that the domain must be validated manually. A domain can require manual validation for the following reasons.

  • ACM cannot establish an HTTPS connection with the domain.
  • The certificate that is returned in the response to the HTTPS requests does not match the one that ACM is renewing.


Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_acm_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_acm_1 --share


This control uses a named query:

certificate_arn as resource,
when renewal_eligibility = 'INELIGIBLE' then 'skip'
when date(not_after) - date(current_date) >= 30 then 'ok'
else 'alarm'
end as status,
when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'
else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||
' (' || extract(day from not_after - current_date) || ' days).'
end as reason
, region, account_id
