Table: aws_acm_certificates

This table shows data for Amazon Certificate Manager (ACM) Certificates.

https://docs.aws.amazon.com/acm/latest/APIReference/API_CertificateDetail.html (opens in a new tab)

The primary key for this table is arn.

Columns

NameType
_cq_iduuid
_cq_parent_iduuid
account_idutf8
regionutf8
arn (PK)utf8
tagsjson
certificate_authority_arnutf8
created_attimestamp[us, tz=UTC]
domain_nameutf8
domain_validation_optionsjson
extended_key_usagesjson
failure_reasonutf8
imported_attimestamp[us, tz=UTC]
in_use_bylist<item: utf8, nullable>
issued_attimestamp[us, tz=UTC]
issuerutf8
key_algorithmutf8
key_usagesjson
not_aftertimestamp[us, tz=UTC]
not_beforetimestamp[us, tz=UTC]
optionsjson
renewal_eligibilityutf8
renewal_summaryjson
revocation_reasonutf8
revoked_attimestamp[us, tz=UTC]
serialutf8
signature_algorithmutf8
statusutf8
subjectutf8
subject_alternative_nameslist<item: utf8, nullable>
typeutf8

Example Queries

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

Certificate has less than 30 days to be renewed

SELECT
  'certificate has less than 30 days to be renewed' AS title,
  account_id,
  arn AS resource_id,
  CASE
  WHEN not_after < timezone('UTC', now()) + '30'::INTERVAL DAY THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_acm_certificates;

Unused ACM certificate

SELECT
  'Unused ACM certificate' AS title,
  account_id,
  arn AS resource_id,
  'fail' AS status
FROM
  aws_acm_certificates
WHERE
  array_length(in_use_by, 1) = 0;

Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

SELECT
  'Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager'
    AS title,
  lb.account_id,
  lb.arn AS resource_id,
  CASE
  WHEN li->'Listener'->>'Protocol' = 'HTTPS'
  AND aws_acm_certificates.arn IS NULL
  THEN 'fail'
  ELSE 'pass'
  END
    AS status
FROM
  aws_elbv1_load_balancers AS lb,
  jsonb_array_elements(lb.listener_descriptions) AS li
  LEFT JOIN aws_acm_certificates ON
      aws_acm_certificates.arn = li->'Listener'->>'SSLCertificateId';