Skip to main content

AWS - ACM

Amazon Web Services Certificate Manager Service (ACM)

For more information regarding the AWS ACM service, please visit the official documentation found here.

For detailed instructions about setting up authentication, see: AWS Integrations - Authentication.

Configure AWS - ACM on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AWS - ACM.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    roleArnrole ARNFalse
    roleSessionNameRole Session NameFalse
    defaultRegionAWS Default RegionFalse
    sessionDurationRole Session DurationFalse
    access_keyAccess KeyFalse
    secret_keySecret KeyFalse
    timeoutThe time in seconds till a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified a default of 10 second will be used.False
    retriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time. More details about the retries strategy is available here.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-acm-describe-certificate#


Returns detailed metadata about the specified ACM certificate.

Base Command#

aws-acm-describe-certificate

Input#

Argument NameDescriptionRequired
certificateArnThe Amazon Resource Name (ARN) of the ACM certificate.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.ACM.Certificates.CertificateArnstringhe Amazon Resource Name (ARN) of the certificate.
AWS.ACM.Certificates.DomainNamestringThe fully qualified domain name for the certificate, such as www.example.com or example.com.
AWS.ACM.Certificates.SubjectAlternativeNamesstringOne or more domain names (subject alternative names) included in the certificate. This list contains the domain names that are bound to the public key that is contained in the certificate. The subject alternative names include the canonical domain name (CN) of the certificate and additional domain names that can be used to connect to the website.
AWS.ACM.Certificates.DomainValidationOptions.DomainNamestringA fully qualified domain name (FQDN) in the certificate.
AWS.ACM.Certificates.DomainValidationOptions.ValidationEmailsstringA list of email addresses that ACM used to send domain validation emails.
AWS.ACM.Certificates.DomainValidationOptions.ValidationDomainstringThe domain name that ACM used to send domain validation emails.
AWS.ACM.Certificates.DomainValidationOptions.ValidationStatustringThe validation status of the domain name.
AWS.ACM.Certificates.DomainValidationOptions.ResourceRecord.NamestringThe name of the DNS record to create in your domain. This is supplied by ACM.
AWS.ACM.Certificates.DomainValidationOptions.ResourceRecord.TypestringThe type of DNS record. Currently this can be CNAME.
AWS.ACM.Certificates.DomainValidationOptions.ResourceRecord.ValuestringThe value of the CNAME record to add to your DNS database. This is supplied by ACM.
AWS.ACM.Certificates.DomainValidationOptions.ValidationMethodstringSpecifies the domain validation method.
AWS.ACM.Certificates.SerialstringThe serial number of the certificate.
AWS.ACM.Certificates.SubjectstringThe name of the entity that is associated with the public key contained in the certificate.
AWS.ACM.Certificates.IssuerstringThe name of the certificate authority that issued and signed the certificate.
AWS.ACM.Certificates.CreatedAtdateThe time at which the certificate was requested. This value exists only when the certificate type is AMAZON_ISSUED .
AWS.ACM.Certificates.IssuedAtdateThe time at which the certificate was issued. This value exists only when the certificate type is AMAZON_ISSUED .
AWS.ACM.Certificates.ImportedAtdateThe date and time at which the certificate was imported. This value exists only when the certificate type is IMPORTED.
AWS.ACM.Certificates.StatusstringThe status of the certificate.
AWS.ACM.Certificates.RevokedAtdateThe time at which the certificate was revoked. This value exists only when the certificate status is REVOKED.
AWS.ACM.Certificates.RevocationReasonstringThe reason the certificate was revoked. This value exists only when the certificate status is REVOKED.
AWS.ACM.Certificates.NotBeforedateThe time before which the certificate is not valid.
AWS.ACM.Certificates.NotAfterdateThe time after which the certificate is not valid.
AWS.ACM.Certificates.KeyAlgorithmstringThe algorithm that was used to generate the public-private key pair.
AWS.ACM.Certificates.SignatureAlgorithmstringThe algorithm that was used to sign the certificate.
AWS.ACM.Certificates.InUseBystringA list of ARNs for the AWS resources that are using the certificate. A certificate can be used by multiple AWS resources.
AWS.ACM.Certificates.FailureReasonstringThe reason the certificate request failed.
AWS.ACM.Certificates.TypestringThe source of the certificate.
AWS.ACM.Certificates.RenewalSummary.RenewalStatusstringThe status of ACM's managed renewal of the certificate.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.DomainNamestringA fully qualified domain name (FQDN) in the certificate.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.ValidationEmailsstringA list of email addresses that ACM used to send domain validation emails.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.ValidationDomainstringThe domain name that ACM used to send domain validation emails.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.ValidationStatusstringThe validation status of the domain name.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.ResourceRecord.NamestringThe name of the DNS record to create in your domain. This is supplied by ACM.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.ResourceRecord.TypestringThe type of DNS record.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.ResourceRecord.ValuestringThe value of the CNAME record to add to your DNS database. This is supplied by ACM.
AWS.ACM.Certificates.RenewalSummary.DomainValidationOptions.ValidationMethodstringSpecifies the domain validation method.
AWS.ACM.Certificates.KeyUsages.NamestringA list of Key Usage X.509 v3 extension objects. Each object is a string value that identifies the purpose of the public key contained in the certificate.
AWS.ACM.Certificates.ExtendedKeyUsages.NamestringThe name of an Extended Key Usage value.
AWS.ACM.Certificates.ExtendedKeyUsages.OIDunknownAn object identifier (OID) for the extension value. OIDs are strings of numbers separated by periods.
AWS.ACM.Certificates.CertificateAuthorityArnstringThe Amazon Resource Name (ARN) of the ACM PCA private certificate authority (CA) that issued the certificate.
AWS.ACM.Certificates.RenewalEligibilitystringSpecifies whether the certificate is eligible for renewal.
AWS.ACM.Certificates.Options.CertificateTransparencyLoggingPreferencestringYou can opt out of certificate transparency logging by specifying the DISABLED option. Opt in by specifying ENABLED.

aws-acm-list-certificates#


Retrieves a list of certificate ARNs and domain names. You can request that only certificates that match a specific status be listed. You can also filter by specific attributes of the certificate.

Base Command#

aws-acm-list-certificates

Input#

Argument NameDescriptionRequired
certificateStatusesFilter the certificate list by status value. Possible values are: PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED, FAILED.Optional
extendedKeyUsageSpecify one or more ExtendedKeyUsage extension values. Possible values are: TLS_WEB_SERVER_AUTHENTICATION, TLS_WEB_CLIENT_AUTHENTICATION, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, IPSEC_END_SYSTEM, IPSEC_TUNNEL, IPSEC_USER, ANY, NONE, CUSTOM.Optional
keyUsageSpecify one or more KeyUsage extension values. Possible values are: DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, DATA_ENCIPHERMENT, KEY_AGREEMENT, CERTIFICATE_SIGNING, CRL_SIGNING, ENCIPHER_ONLY, DECIPHER_ONLY, ANY, CUSTOM.Optional
keyTypesSpecify one or more algorithms that can be used to generate key pairs. Possible values are: RSA_2048, RSA_1024, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1.Optional
regionThe AWS Region, if not specified the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.ACM.Certificates.CertificateArnstringAmazon Resource Name (ARN) of the certificate.
AWS.ACM.Certificates.DomainNamestringFully qualified domain name (FQDN), such as www.example.com or example.com, for the certificate.
AWS.ACM.Certificates.RegionunknownThe AWS region were the certificate is located.

aws-acm-add-tags-to-certificate#


Adds one or more tags to an ACM certificate.

Base Command#

aws-acm-add-tags-to-certificate

Input#

Argument NameDescriptionRequired
certificateArnString that contains the ARN of the ACM certificate to which the tag is to be applied.Required
tagsThe key-value pair that defines the tag. The tag value is optional.Required
regionThe AWS Region, if not specified the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

aws-acm-remove-tags-from-certificate#


Remove one or more tags from an ACM certificate.

Base Command#

aws-acm-remove-tags-from-certificate

Input#

Argument NameDescriptionRequired
certificateArnThe ARN of the ACM Certificate with one or more tags that you want to remove.Required
tagsThe key-value pair that defines the tag to remove.Required
regionThe AWS Region, if not specified the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

aws-acm-list-tags-for-certificate#


Lists the tags that have been applied to the ACM certificate. Use the certificate's Amazon Resource Name (ARN) to specify the certificate.

Base Command#

aws-acm-list-tags-for-certificate

Input#

Argument NameDescriptionRequired
certificateArnThe ARN of the ACM certificate for which you want to list the tags.Required
regionThe AWS Region, if not specified the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.ACM.Certificates.Tags.KeystringThe key of the tag.
AWS.ACM.Certificates.Tags.ValuestringThe value of the tag.

aws-acm-get-certificate#


Retrieves a certificate specified by an ARN and its certificate chain . The chain is an ordered list of certificates that contains the end entity certificate, intermediate certificates of subordinate CAs, and the root certificate in that order. The certificate and certificate chain are base64 encoded. If you want to decode the certificate to see the individual fields, you can use OpenSSL.

Base Command#

aws-acm-get-certificate

Input#

Argument NameDescriptionRequired
certificateArnThe ARN of the certificate.Required
regionThe AWS Region, if not specified the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.ACM.Certificates.CertificatestringString that contains the ACM certificate represented by the ARN specified at input.
AWS.ACM.Certificates.CertificateChainstringThe certificate chain that contains the root certificate issued by the certificate authority (CA).