Certificate Manager
Retrieves and monitors certificate information from AWS Certificate Manager.
Details
The AWS Certificate Manager input collects certificate information from AWS Certificate Manager. It retrieves certificate ARNs, domain names, and related certificate information based on the configured filters.
Requirements
- IAM Role Assumption / Static Credentials
- Example permission to attach to the role/user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ACMPermissions",
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"acm:DescribeCertificate"
],
"Resource": "*"
}
]
}
Configuration
Settings
| Setting | Type | Required | Default | Description |
|---|---|---|---|---|
| role_arn | string | Yes | - | The ARN of the role to assume to access the certificate manager |
| cron | string | Yes | - | Cron expression for scheduling the input |
| region | array | Yes | - | Filter the certificate list by region (us-east-1, us-east-2, us-west-1, us-west-2, af-south-1, ap-east-1, ap-south-1, ap-northeast-1, ap-northeast-2, ap-northeast-3, ap-southeast-1, ap-southeast-2, ca-central-1, cn-north-1, cn-northwest-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, eu-south-1, me-south-1, sa-east-1, us-gov-east-1, us-gov-west-1) |
| certificate_statuses | array | No | - | Filter the certificate list by status value (PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED, FAILED) |
| extended_key_usage | array | No | - | Filter by the Extended Key Usage X.509 v3 extension (TLS_WEB_SERVER_AUTHENTICATION, TLS_WEB_CLIENT_AUTHENTICATION, CODE_SIGNING, EMAIL_PROTECTION, TIME_STAMPING, OCSP_SIGNING, IPSEC_END_SYSTEM, IPSEC_TUNNEL, IPSEC_USER, ANY, NONE, CUSTOM) |
| key_types | array | No | - | Filter by algorithms used to generate key pairs (RSA_1024, RSA_2048, RSA_3072, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1) |
| key_usage | array | No | - | Filter by Key Usage X.509 v3 extension (DIGITAL_SIGNATURE, NON_REPUDIATION, KEY_ENCIPHERMENT, DATA_ENCIPHERMENT, KEY_AGREEMENT, CERTIFICATE_SIGNING, CRL_SIGNING, ENCIPHER_ONLY, DECIPHER_ONLY, ANY, CUSTOM) |
| sort_by | string | No | - | Specifies the field to sort results by (CREATED_AT) |
| sort_order | string | No | - | Specifies order to sort results by (ASCENDING, DESCENDING) |
Secrets (Static Credentials Only)
| Setting | Type | Required | Description |
|---|---|---|---|
| Access Key | string | Conditional | AWS Access Key ID |
| Secret Key | string | Conditional | AWS Secret Access Key |
⚠️ Authentication: Choose either Role ARN (recommended) or static credentials. See AWS Authentication Guide for setup instructions.
Sample Record
{
"CertificateArn": "3b2bd830-d5f1-2087-a0c9-fd2d839639dd",
"CreatedAt": "2025-08-11T23:46:55.690781Z",
"DomainName": "app.monad.com",
"Exported": true,
"ExtendedKeyUsages": [
"SERVER_AUTH"
],
"HasAdditionalSubjectAlternativeNames": true,
"ImportedAt": null,
"InUse": false,
"IssuedAt": "2025-08-11T23:46:55.690862Z",
"KeyAlgorithm": "RSA_1024",
"KeyUsages": [
"CERTIFICATE_SIGNING"
],
"NotAfter": "2025-08-11T23:46:55.690894Z",
"NotBefore": "2025-08-11T23:46:55.690895Z",
"RenewalEligibility": "ELIGIBLE",
"RevokedAt": null,
"Status": "FAILED",
"SubjectAlternativeNameSummaries": [
"example.com",
"app.monad.org"
],
"Type": "IMPORTED"
}