Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: Ensure that all the expired ACM certificates are removed

Description

This control ensures that all expired ACM certificates are removed from AWS account.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.acm_certificate_not_expired

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.acm_certificate_not_expired --share

SQL

This control uses a named query:

select
  certificate_arn as resource,
  case
    when renewal_eligibility = 'INELIGIBLE' then 'skip'
    when date(not_after) < (current_date - interval '1' minute) then 'alarm'
    else 'ok'
  end as status,
  case
    when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'
    when date(not_after) < (current_date - interval '1' minute) then title || ' expired ' || to_char(not_after, 'DD-Mon-YYYY') ||
    ' (' || extract(day from not_after - current_date) || ' days ago).'
    else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||
    ' (' || extract(day from not_after - current_date) || ' days).'
   end as reason
  
  , region, account_id
from
  aws_acm_certificate;

Tags

category = Compliance
nist_csf_v2 = true
plugin = aws
service = AWS/ACM