AWS ELB(ALB) rule check SSL expiry

Question

We had set up a common ALB as a single point of entry to all systems, We wanted to drop traffic at ALB when the SSL cert was not renewed(expired) by the individual system teams.

We have a 3rd part DDOS services that have automatic cert updates and it reflects the cert as valid but not the ALB Cert as the cert was not updated.

Internet -> DDOS services -> ALB -> Systems

I wonder if there's a way to deny traffic if the SSL cert is expired?

Maybe run a Lambda function periodically to check the cert status, and edit the routing rules if it has expired? — chamal, Nov 28 '22 at 05:24

score 0 · Answer 1 · answered Nov 28 '22 at 12:02

You can use an AWS config rule for the AWS_CERTIFICATE_EXPIRATION_CHECK event that triggers an SNS topic when the cert has expired (0 days to expiration).

The SNS topic can trigger a lambda function which removes/alters the security group rule that allows traffic from the security group associated with the ALB.

AWS ELB(ALB) rule check SSL expiry

1 Answers1