Ensure no SSL certificates expire in the next 14 days

AWS

ACM will either renew your certificates automatically (if you are using DNS validation), or it will send you email notifications when expiration is approaching.

To renew your certificate SSL certificate manually:

1. Navigate to the EC2 Console
2. Under Load Balancing, select Load Balancers
3. Select the load balancer you want to renew the certificate for and, on the Listeners tab, choose Manage listeners
4. On the Manage listeners page, locate the listener to be updated, choose Edit under Default SSL cert and select it from ACM or IAM.

Google Cloud

Google-managed SSL certificates are renewed automatically, but you have to manually review any self-managed SSL certificates. To renew a self-managed SSL certificate, upload your new certificate and update the target proxy so that its list of SSL certificates includes the new SSL certificate in the first position to make it the primary certificate. After the new certificate, include any existing SSL certificates that you want to retain. If you have only one certificate, you need to firstly configure a new SSL certificate.

References

1. https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-update-ssl-cert.html

2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html

3. https://cloud.google.com/load-balancing/docs/ssl-certificates#config-tech

Multiple Remediation Paths

AWS

SERVICE-WIDE (RECOMMENDED when many resources are affected): Deploy centralized guardrails and remediation using AWS Config Conformance Packs and (if applicable) AWS Organizations SCPs.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

ASSET-LEVEL: Apply the resource-specific remediation steps above to only the affected assets.

PREVENTIVE: Add CI/CD policy checks (CloudFormation/Terraform validation) before deployment to prevent recurrence.

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

References for Service-Wide Patterns

• AWS Config Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html
• AWS Organizations SCP examples: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html
• GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
• GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• AWS: deploy/adjust organization conformance packs and policy guardrails.

aws configservice put-organization-conformance-pack --organization-conformance-pack-name <pack-name> --template-s3-uri s3://<bucket>/<template>.yaml

• Google Cloud: apply organization policy constraints at org/folder scope.

gcloud org-policies set-policy policy.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.