DEV Community

Wakeup Flower
Wakeup Flower

Posted on

ACM certificate expirations detection methods

#aws

Event-driven using EventBridge and AWS Health / ACM expiration events.

Option:

Create an Amazon EventBridge rule that checks AWS Health or ACM expiration events related to ACM certificates. Send an alert notification to SNS when a certificate is going to expire in 30 days.

Reasoning:

  • EventBridge is specifically designed to respond to events from AWS services in near real-time.
  • ACM generates expiration events starting 45 days before expiration. These events appear automatically in EventBridge.
  • You can define a rule in EventBridge to filter events such as "AWS_ACM_RENEWAL_STATE_CHANGE" or "AWS_ACM_RENEWAL_FAILURE".
  • The rule triggers when relevant events occur → this avoids continuous polling.

  • The rule can send a notification to an SNS topic, which can:

    • Notify administrators via email.
    • Trigger an automated workflow or ITSM case creation.

Key advantage:
It’s reactive and real-time — no need to manually check; EventBridge reacts when AWS Health emits an event.

Metric-based using CloudWatch DaysToExpiry to schedule regular checks.

Option:

Create an Amazon EventBridge rule and schedule it to run every day to identify expiring ACM certificates. Configure the rule to check the DaysToExpiry metric of all ACM certificates in CloudWatch. Send an alert to SNS when a certificate is going to expire in 30 days.

Reasoning:

  • CloudWatch exposes the DaysToExpiry metric for ACM certificates.
  • You can schedule a daily EventBridge rule to query this metric for all certificates.

  • This is metric-based polling, which is useful when:

    • You want to check certificates at a fixed interval.
    • You want a batch view of all certificates due to expire soon.

  • If any certificate’s DaysToExpiry ≤ 30 days → trigger an SNS notification.

  • This allows proactive monitoring without waiting for ACM to emit an event.

Key advantage:
It’s scheduled and comprehensive — ensures no expiring certificate is missed even if AWS Health events fail.

Step 4 — Why Both Are Correct

  • Option 1 (event-driven) → efficient for real-time notifications.
  • Option 2 (metric-driven) → efficient for daily audits and batch notifications.

They are complementary:

  • Event-driven detection is fast but relies on ACM emitting events properly.
  • Metric-driven detection is systematic and reliable even if events are delayed or missed.

Summary Table:

Option Mechanism Pros Cons
1 EventBridge + ACM events Near real-time, automatic Depends on ACM event delivery
2 EventBridge scheduled + DaysToExpiry Comprehensive, systematic Runs periodically, not instant

Top comments (0)