List all AWS Certificate Manager certificates
In this blog, I will share a PowerShell script to list all AWS Certificate Manager (ACM) certificates across all profiles and regions. This script will include details such as the certificate domain, type, expiration date, and associated resources (InUseBy). You can choose to display the results, export them to a file, or both.
Explore my other articles about AWS services and Microsoft Azure services.
Introduction
Use AWS Certificate Manager (ACM) to provision, manage, and deploy public and private SSL/TLS certificates for AWS services and your internal connected resources.
I needed a comprehensive list of all AWS Certificate Manager (ACM) certificates managed by ACM, including details such as the certificate domain, type, expiration date, associated resource (InUseBy), and other properties. I will use this list to determine which certificates to delete, keep, or renew. To achieve this, I utilized PowerShell and “AWS Tools for PowerShell – AWS Certificate Manager”.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
<# Requested ACM certificate information. Profile : Production Region : us-east-1 DomainName : stage.saadkhamis.com Type : AMAZON_ISSUED RenewalEligibility : ELIGIBLE Status : ISSUED Expiration : 8/15/2024 11:59:59 PM Domains : stage.saadkhamis.com InUseBy : arn:aws:cloudfront::123456789012:distribution/A12ABC1234ABCD CertificateArn : arn:aws:acm:us-east-1:123456789013:certificate/12345678-abcd-1234-abcd-123456789014 #> |
Prerequisites
To execute the script provided in this blog, you need to:
- Install and configure AWS Tools for PowerShell.
- Log in to all necessary AWS accounts and profiles.
- Configure your IAM permissions to allow required access to AWS Certificate Manager (ACM) certificates.
PowerShell Cmdlets
Here are the PowerShell cmdlets we will use.
- Get-ACCTRegionList Lists all the Regions for a given account and their respective opt-in statuses.
- Get-ACMCertificateDetail Returns detailed metadata about the specified ACM certificate.
- Get-ACMCertificateList Retrieves a list of certificate ARNs and domain names.
- Get-AWSCredential Returns an AWSCredentials object initialized from either credentials currently set as default in the shell or saved and associated with the supplied name from the local credential store.
Retrieve metadata about a specified ACM certificate
First, we will begin by using the Get-ACMCertificateDetail cmdlet to retrieve metadata about a specific ACM certificate.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
$Profile = "Production" $Region = "us-east-1" $AcmCertificateArn = "arn:aws:acm:us-east-1:123456789013:certificate/12345678-abcd-1234-abcd-123456789014" $AcmCertificateDetail = Get-ACMCertificateDetail ` -ProfileName $Profile ` -Region $Region ` -CertificateArn $AcmCertificateArn <# $AcmCertificateDetail CertificateArn : arn:aws:acm:us-east-1:123456789013:certificate/12345678-abcd-1234-abcd-123456789014 CertificateAuthorityArn : CreatedAt : 7/18/2023 5:06:05 PM DomainName : stage.saadkhamis.com DomainValidationOptions : {stage.saadkhamis.com} ExtendedKeyUsages : {TLS_WEB_SERVER_AUTHENTICATION, TLS_WEB_CLIENT_AUTHENTICATION} FailureReason : ImportedAt : 1/1/0001 12:00:00 AM InUseBy : {arn:aws:cloudfront::123456789012:distribution/A12ABC1234ABCD} IssuedAt : 7/18/2023 5:56:52 PM Issuer : Amazon KeyAlgorithm : RSA-2048 KeyUsages : {DIGITAL_SIGNATURE, KEY_ENCIPHERMENT} NotAfter : 8/15/2024 11:59:59 PM NotBefore : 7/18/2023 12:00:00 AM Options : Amazon.CertificateManager.Model.CertificateOptions RenewalEligibility : ELIGIBLE RenewalSummary : Amazon.CertificateManager.Model.RenewalSummary RevocationReason : RevokedAt : 1/1/0001 12:00:00 AM Serial : 99:c9:99:bf:89:9e:09:9a:be:9f:ef:99:99:d9:f9:99 SignatureAlgorithm : SHA256WITHRSA Status : ISSUED Subject : CN=stage.saadkhamis.com SubjectAlternativeNames : {stage.saadkhamis.com} Type : AMAZON_ISSUED #> |
Compile requested EBS snapshot information
Second, let’s compile the required information. Note that the “-join” operator concatenates a set of strings into a single string.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
$Profile = "Production" $Region = "us-east-1" $AcmCertificateArn = "arn:aws:acm:us-east-1:123456789013:certificate/12345678-abcd-1234-abcd-123456789014" $AcmCertificateDetail = Get-ACMCertificateDetail ` -ProfileName $Profile ` -Region $Region ` -CertificateArn $AcmCertificateArn $ACMCertificateDetail | ` Select @{N="Profile";E={$Profile}}, ` @{N="Region";E={$Region}},` DomainName, Type, RenewalEligibility, Status, ` @{N="Expiration";E={$_.NotAfter}}, ` @{N="Domains";E={$_.SubjectAlternativeNames -join "`n"}}, ` @{N="InUseBy";E={$_.InUseBy -join "`n"}}, CertificateArn <# Profile : Production Region : us-east-1 DomainName : stage.saadkhamis.com Type : AMAZON_ISSUED RenewalEligibility : ELIGIBLE Status : ISSUED Expiration : 8/15/2024 11:59:59 PM Domains : stage.saadkhamis.com InUseBy : arn:aws:cloudfront::123456789012:distribution/A12ABC1234ABCD CertificateArn : arn:aws:acm:us-east-1:123456789013:certificate/12345678-abcd-1234-abcd-123456789014 #> |
Compile requested ACM certificates information within a single profile and region
Third, let’s compile the required information for a single profile and region.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
$Profile = "Production" $Region = "us-east-1" # Get ACM certificate list. $AcmCertificates = Get-ACMCertificateList ` -ProfileName $Profile ` -Region $Region # Initialize output $Output = @() # Are ACM certificates present in the specified profile and region? If ($AcmCertificates) { # For each certificate: ForEach ($AcmCertificate in $AcmCertificates) { Write-Host ("$($AcmCertificate.DomainName)") # Get certificate information. $AcmCertificateDetail = Get-ACMCertificateDetail ` -ProfileName $Profile ` -Region $Region ` -CertificateArn $AcmCertificate.CertificateArn # Complie requested information. $Output += $AcmCertificateDetail | ` Select @{N="Profile";E={$Profile}}, ` @{N="Region";E={$Region}},` DomainName, Type, RenewalEligibility, Status, ` @{N="Expiration";E={$_.NotAfter}}, ` @{N="Domains";E={$_.SubjectAlternativeNames -join "`n"}}, ` @{N="InUseBy";E={$_.InUseBy -join "`n"}}, CertificateArn } # $AcmCertificate } |
Compile requested ACM certificates information within a single profile
Third, let’s compile the required information for a single profile and all enabled regions within the profile
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
$Profile = "Production" $Region = "us-east-1" $DefaultRegion = "us-east-1" # Initialize output $Output = @() # Get enabled regions $EnabledRegions = $null $EnabledRegions = (Get-ACCTRegionList ` -ProfileName $Profile ` -Region $DefaultRegion ` -RegionOptStatusContain @("ENABLED","ENABLED_BY_DEFAULT") | ` Sort-Object RegionName).RegionName # Are there enabled regions? If ($EnabledRegions) { # For each region ForEach ($Region in $EnabledRegions) { Write-Host (">>> $Region") # Get ACM certificate list. $AcmCertificates = Get-ACMCertificateList ` -ProfileName $Profile ` -Region $Region # Are ACM certificates present in the specified profile and region? If ($AcmCertificates) { # For each certificate: ForEach ($AcmCertificate in $AcmCertificates) { Write-Host ("`t$($AcmCertificate.DomainName)") # Get certificate information. $AcmCertificateDetail = Get-ACMCertificateDetail ` -ProfileName $Profile ` -Region $Region ` -CertificateArn $AcmCertificate.CertificateArn # Complie requested information. $Output += $AcmCertificateDetail | ` Select @{N="Profile";E={$Profile}}, ` @{N="Region";E={$Region}},` DomainName, Type, RenewalEligibility, Status, ` @{N="Expiration";E={$_.NotAfter}}, ` @{N="Domains";E={$_.SubjectAlternativeNames -join "`n"}}, ` @{N="InUseBy";E={$_.InUseBy -join "`n"}}, CertificateArn } # $AcmCertificate } } } |
Compile requested ACM certificates information across all profiles and regions
Finally, let’s compile the required information across all profiles and regions.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
$Profile = "Production" $Region = "us-east-1" $DefaultRegion = "us-east-1" # Initialize output $Output = @() # Get a profiles list. $Profiles = Get-AWSCredential -ListProfileDetail | ` Where-Object {$_.ProfileName -notlike "default"} | ` Sort-Object ProfileName # For each profile: ForEach ($Profile in $Profiles.ProfileName) { Write-Host ("*** $Profile") # Get enabled regions $EnabledRegions = $null $EnabledRegions = (Get-ACCTRegionList ` -ProfileName $Profile ` -Region $DefaultRegion ` -RegionOptStatusContain @("ENABLED","ENABLED_BY_DEFAULT") | ` Sort-Object RegionName).RegionName # Are there enabled regions? If ($EnabledRegions) { # For each region: ForEach ($Region in $EnabledRegions) { Write-Host ("`t>>> $Region") # Get ACM certificate list. $AcmCertificates = Get-ACMCertificateList ` -ProfileName $Profile ` -Region $Region # Are ACM certificates present in the specified profile and region? If ($AcmCertificates) { # For each certificate: ForEach ($AcmCertificate in $AcmCertificates) { Write-Host ("`t`t$($AcmCertificate.DomainName)") # Get certificate information. $AcmCertificateDetail = Get-ACMCertificateDetail ` -ProfileName $Profile ` -Region $Region ` -CertificateArn $AcmCertificate.CertificateArn # Complie requested information. $Output += $AcmCertificateDetail | ` Select @{N="Profile";E={$Profile}}, ` @{N="Region";E={$Region}},` DomainName, Type, RenewalEligibility, Status, ` @{N="Expiration";E={$_.NotAfter}}, ` @{N="Domains";E={$_.SubjectAlternativeNames -join "`n"}}, ` @{N="InUseBy";E={$_.InUseBy -join "`n"}}, CertificateArn } # $AcmCertificate } } } } # Export to CSV file. $Output | Export-Csv -NoTypeInformation -Path "C:\Temp\AWS_AcmCertificats.csv" |
Conclusion
Congratulations on reaching the end of this blog! You’ve successfully navigated through some potentially challenging and lengthy code. Well done!
In this blog, I used PowerShell and AWS Tools for PowerShell to create a script that retrieves all AWS ACM certificates across all profiles and regions. This information will help determine which certificates to delete, keep, or renew.
Did you find this blog easy to follow and helpful? I would love to hear your feedback and suggestions, so please share them in the comments below.
Disclaimer
Purpose of the code contained in blog is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.
Comments
Related Posts
Use PowerShell to request a public certificate from AWS Certificate Manager
By 13962 views August 1, 2024
Get all AWS EBS snapshots across all profiles and regions
By 18448 views June 26, 2024
AWS IAM role is not listed in the IAM roles dropdown menu for EC2
By 18281 views June 25, 2024
Get all AWS Backup recovery points grouped by resource name across all profiles and regions
By 19721 views June 14, 2024
Get all AWS EC2 instances across all profiles and regions
By 33195 views November 27, 2023
There's no comments