AWS — SSL Certificate Expiration Alerts Using Lambda

This solution is mostly recommended for certificates that are managed by third-party certificates managers (eg: GoDaddy, Comodo, The SSL Store, etc…). It also can be used to monitor other public SSL certificates that are deployed or the AWS Certificate manager deployed SSL certificates.

Here is a solution using AWS Lambda service to monitor SSL certificate expiration alerts based on days left to get warning/critical alerts.

High-level Solution Overview

Services Used:

1. AWS Lambda

2. AWS Cloud watch

3. AWS SNS

Implementation instructions:

First Setup the SNS Topic

Note: All the AWS services have been deployed in us-east-1 region.

1. Log in to the AWS console and open the SNS dashboard.

Click > Topics > Create topic

2. Create an SNS topic to get the alerts. To create a topic please follow the steps in the provided screenshot.

Select > Standard

Name > ssl_cert_expire_sns

Display name — optional > ssl_cert_expire_sns

Click > Create topic

3. To get the emails we need to subscribe(add) the email address in the topic created below.

Select the topic and click > Create Subscribe

Topic ARN > (Keep Default)

Protocol Select > Email

Endpoint: legionlenovointel@gmail.com (email that you're defining)

Click > Create Subscription

Now you will get the confirmation email from AWS to receive emails from the topic. Go through the email and open the provided link in the email to subscribe.

4. Go to Lambda Service Dashboard > Click on the left panel “Functions” and Click “Create Function” select the Author from scratch (Lambda>Functions>Create function>Author from scratch)

· Function Name: SSL-Cert-Expiry-Alert-Function (You can give your own function name)

· Runtime: Python 3.9

· Execution role: Create a New role from template(s)

· Role Name: SSL-Cert-Expiry-Alert-Role (you can give your own role name)

· Policy Templates: SNS publish policy

· Click > “Create function”

· Now Edit the function Code Section.

· Code entry type: Edit Code inline

· Runtime: Python 3.9

· Copy the function code from this GitHub URL https://github.com/aasheriff/ssl_cert_expiration_alert and past it into the lambda_function.py in the AWS lambda function. Click > “Deploy”

Note: The script will produce warning alerts on the 50th and 40th and 30th day and critical alerts starting 15th and 20th day till you renew the SSL certificate.

Edit the code to update the SNS Topic ARN that was created initially.

Add the domains you want to monitor:

Click on “Configuration” > “Environment Variables” > “Edit”

Variable Key needs to be domain_1 and the value will be your domain to monitor, as a sample I have used GitHub.com.

5. Create a schedule event using CloudWatch to call the above Lambda function on daily basis.

Go to Cloudwatch > Expand “Events“ in left panel > Click on > “Rules” > Click “Create rule”

· Event source: Select > “Schedule” Fixed rate of 1 and select > “Days”

· Target: select > “Lambda Function” > Function Select > ”SSL-Cert-Expire-Alert-Function”

· Click > “Configure Details”

Name: “ssl_alerts_cw”

Click > “Create Rule”

6. Editing the alert email body:

• Go to the lambda function and in the left panel create a new file called message.txt and edit if needed.

How to test, update the code line number 54 value from 15 to 500 and click deploy. Then after that run a test, and you will receive an alert to the subscribe email. (Refer to the Sample mail Alert).

Alert mail sample:

Sample: