ELB.2: CLB SSL/HTTPS listeners should use ACM certs

What does AWS Security Hub ELB.2 check?

ELB.2 fails when a Classic Load Balancer with an SSL or HTTPS listener uses a certificate that was uploaded to IAM rather than issued or imported through AWS Certificate Manager. The control inspects the source of each listener's server certificate.

Why does ELB.2 matter?

An IAM-uploaded certificate has to be renewed and re-uploaded by hand before it expires — the classic cause of a surprise outage when a cert lapses over a weekend. ACM-managed certificates renew automatically and are issued free, removing the manual step that leads to expiry incidents and the temptation to skip rotation.

How do I fix ELB.2?

1. List CLBs and inspect each HTTPS/SSL listener's SSLCertificateId to spot IAM ARNs (arn:aws:iam) versus ACM ARNs.
2. Request or import the certificate in ACM, in the same region as the load balancer.
3. Move the listener onto the ACM certificate with set-load-balancer-listener-ssl-certificate; this swaps cleanly without dropping connections.
4. Note that ACM only auto-renews AWS-issued certificates that are actually in use, and imported certs still need manual renewal.

# Request an AWS-issued, DNS-validated cert in the load balancer's region (skip if one exists).
aws acm request-certificate \
  --domain-name api.example.com \
  --validation-method DNS \
  --region us-east-1

# After the cert reaches ISSUED, re-point the CLB's HTTPS listener to it.
aws elb set-load-balancer-listener-ssl-certificate \
  --load-balancer-name legacy-api-clb \
  --load-balancer-port 443 \
  --ssl-certificate-id arn:aws:acm:us-east-1:111122223333:certificate/9f1c2d34-5678-90ab-cdef-EXAMPLE11111

# Verify the listener now serves the ACM ARN.
aws elb describe-load-balancers --load-balancer-names legacy-api-clb \
  --query 'LoadBalancerDescriptions[0].ListenerDescriptions[].Listener.SSLCertificateId'