Certificate expiration monitoring - AWS Transfer Family
DaysUntilExpiry metricBest practices for certificate monitoringExample alarm configurations

Certificate expiration monitoring

AWS Transfer Family automatically monitors the expiration dates of AS2 certificates and publishes a Amazon CloudWatch metric to help you track when certificates are approaching expiration. This allows you to proactively manage certificate renewals and avoid service disruptions.

DaysUntilExpiry metric

When you import a certificate for AS2 use, Transfer Family automatically creates a CloudWatch metric called DaysUntilExpiry. This metric tracks the number of days remaining until the certificate expires based on the InactiveDate you specified when importing the certificate.

Metric details:

  • Metric name: DaysUntilExpiry

  • Namespace: AWS/Transfer

  • Dimensions: CertificateId (always present), Description (if provided during certificate import)

  • Units: Count (days)

  • Frequency: Published daily

Important

It can take up to a full day after importing a certificate for Transfer Family to emit this metric to your account.

The metric value decreases by one each day as the certificate approaches its inactive date. For example, if a certificate has 30 days until expiration, the metric will show 30, then 29 the next day, and so on.

Best practices for certificate monitoring

Follow these best practices when setting up certificate expiration monitoring:

  • Set multiple alert thresholds: Create alarms for different time periods (for example, 30 days, 14 days, and 7 days before expiration) to provide adequate time for certificate renewal.

  • Use appropriate statistics: Use the Maximum statistic when creating alarms to ensure you capture the most recent metric value.

  • Configure proper alarm actions: Set up notifications to alert the appropriate team members who can renew certificates.

  • Test your alerts: Regularly test your notification system to ensure alerts are delivered properly.

  • Document your process: Maintain documentation about your certificate renewal process and who is responsible for different certificates.

Example alarm configurations

Here are some example alarm configurations for different notification scenarios:

30-day expiration warning

Create an alarm that triggers when a certificate has 30 days or fewer until expiration:

  • Metric: DaysUntilExpiry

  • Statistic: Maximum

  • Period: 1 day

  • Threshold: 30

  • Comparison: Less than or equal to threshold

  • Missing data treatment: Treat missing data as good (not breaching)

Critical 7-day expiration warning

Create a critical alarm that triggers when a certificate has 7 days or fewer until expiration:

  • Metric: DaysUntilExpiry

  • Statistic: Maximum

  • Period: 1 day

  • Threshold: 7

  • Comparison: Less than or equal to threshold

  • Missing data treatment: Treat missing data as good (not breaching)