Find expiring Certs in the Local Computer Store (Windows)
At one job, we had Certificates that were deployed in the Local Computer store and we were annoyed by them expiring without notice. Following is a solution using the AWS SSM Service:
def lambda_handler(event, context):
import collections
from collections import defaultdict
import os
import boto3
import time
import datetime
from datetime import timedelta
from datetime import datetime
# Connect to EC2
ec2 = boto3.resource('ec2')
ssm=boto3.client('ssm')
sns = boto3.client('sns')
todaysdate=datetime.now()
#Get Environment Variables
thresholdDaysString = os.environ['ExpiryThresholdDays']
notificationARN=os.environ['NotificationARN']
environment=os.environ['Environment']
clientname=os.environ['ClientName']
#thresholdDays=30
#notificationARN="arn:aws:sns:ap-southeast-2:<Account_Number>:CertificateExpiry"
#environment="SIT2"
thresholdDays=int(thresholdDaysString)
in30days=todaysdate + timedelta(days=thresholdDays)
consoleBaseURL="https://ap-southeast-2.console.aws.amazon.com/ec2/v2/home?region=ap-southeast-2#ManagedInstances:InstanceIds="
# Get information for all running instances
filtered_instances = ec2.instances.filter(Filters=[{
'Name': 'tag:Environment',
'Values': [environment]}])
ec2info = defaultdict()
for instance in filtered_instances:
inventoryentries=ssm.list_inventory_entries(InstanceId=instance.id, TypeName='Custom:CertInventory')
certificates=inventoryentries["Entries"]
#print("Instance ID: ",instance.id)
#print("Certs: ",certificates)
for cert in certificates:
Expiry=cert["Expiry"]
expirydateobject = datetime.strptime(Expiry, "%m/%d/%Y")
Subject=cert["Subject"]
Thumbprint=cert["Thumbprint"]
#print("Expiry: ",Expiry)
if (expirydateobject > todaysdate and expirydateobject < in30days):
for tag in instance.tags:
if (tag['Key']== 'Name'):
name = tag['Value']
#print("Instance: ",instance.id)
alerthyperlink=consoleBaseURL + instance.id
#print("Name: ",name)
#print("Certificate is expiring within next 30 days")
#print("Subject: ",Subject)
message="A "+clientname +" certificate expiring within " + thresholdDaysString + " days has been found on the below EC2 instance \n" +instance.id +"("+ name +"). \n\nCertificate Details:\nThumbprint: " +Thumbprint +"\nSubject: " +Subject +"\nEXPIRES: "+Expiry +"\n\nClick here for more details: " +alerthyperlink
print(message)
client = boto3.client('sns')
msgsubject=clientname+" - Certificate Expiry Alert"
response = client.publish(
TargetArn=notificationARN,
Message=message,
Subject=msgsubject
)
print("Done")
Certificate Inventory SSM Doc:
{
"schemaVersion": "1.2",
"description": "Inventory Personal Store Certificates into JSON for SSM.",
"runtimeConfig": {
"aws:runPowerShellScript": {
"properties": [
{
"id": "0.aws:runPowerShellScript",
"timeoutSeconds": 7200,
"runCommand": [
"$instanceid=Invoke-RestMethod -Method Get -Uri http://169.254.169.254/latest/meta-data/instance-id",
"$customInventoryPath=\"C:\\ProgramData\\Amazon\\SSM\\InstanceData\\\"+$instanceid+\"\\inventory\\custom\\certs.json\"",
"Set-Location Cert:\\LocalMachine\\my",
"$certs=get-childitem | select Subject,FriendlyName,NotBefore,NotAfter,Thumbprint,HasPrivateKey",
"$certlist=get-childitem | select Thumbprint,@{Name='Expiry';Expression={$_.NotAfter.ToShortDateString()}},Subject,FriendlyName,@{Name='Start';Expression={$_.NotBefore.ToShortDateString()}},@{Name='HasPrivateKey';Expression={[string]$_.HasPrivateKey}}|convertto-JSON",
"$certJSONprefix='{\"SchemaVersion\": \"1.0\",\"TypeName\": \"Custom:CertInventory\",\"Content\": '",
"$certJSONsuffix='}'",
"$certJSONOut=$certJSONprefix +$certlist +$certJSONsuffix|Set-Content $customInventoryPath -Force"
]
}
]
}
}
}