Exposure Scanner Scan My Account
Exposure Scanner / AWS Certificate Manager

Certificate Management Exposure

Are your TLS certificates properly configured and monitored?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
Critical
*.example.com
ACM certificate expires in 3 days and auto-renewal has failed due to DNS validation issue
High
api.example.com
Imported certificate expires in 14 days with no renewal automation configured
Medium
*.staging.example.com
Wildcard certificate used across all staging services - single compromise affects all subdomains

What does AWS Certificate Manager public exposure mean?

ACM certificates themselves aren't publicly "exposed," but mismanaged certificates - expired, misconfigured, or using weak protocols - weaken the security of your public-facing endpoints.

Why it matters

Expired or misconfigured TLS certificates cause service outages, browser warnings that erode user trust, and potential man-in-the-middle attacks. Certificate transparency logs make your infrastructure discoverable.

How to check manually

  1. 1Review ACM for certificates approaching expiration
  2. 2Check that auto-renewal is working for ACM-issued certificates
  3. 3Verify imported certificates have renewal reminders
  4. 4Audit certificate usage across CloudFront, ALB, and API Gateway

Quick check with AWS CLI

List ACM certificates and their expiration dates
aws acm list-certificates --query "CertificateSummaryList[].{Domain:DomainName,ARN:CertificateArn,Status:Status}" --output table
Check certificate details and expiration for a specific cert
aws acm describe-certificate --certificate-arn YOUR_CERT_ARN --query "Certificate.{Domain:DomainName,Status:Status,NotAfter:NotAfter,InUseBy:InUseBy,RenewalEligibility:RenewalEligibility}"
Find certificates expiring within 30 days
aws acm list-certificates --query "CertificateSummaryList[].CertificateArn" --output text | xargs -I {} aws acm describe-certificate --certificate-arn {} --query "Certificate.{Domain:DomainName,Expiry:NotAfter}" --output text | sort -k2

Common misconfigurations

Certificates expiring without auto-renewal
Imported certificates without monitoring for expiration
Wildcard certificates used where specific certs would be more secure
Outdated TLS policies allowing weak cipher suites

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon CloudFront
Are your CloudFront distributions exposing origin servers or sensitive content?
Elastic Load Balancer
Are your load balancers exposing internal services to the internet?
API Gateway
Are your API endpoints accessible without proper authentication?