AWS Security, Identity & Compliance – Certificate Manager

48

Certificate Manager

  • Handles the complexity of creating and managing SSL/TLS certificates for your AWS based websites and applications.
  • You use certificates provided by ACM (ACM Certificates) or certificates that you import into ACM.

Concepts

  • Certificate Authority
  • Domain Name System
  • Domain Name
  • Encryption and decryption
  • Public key infrastructure
  • Root certificate
  • Secure sockets layer
  • Secure HTTPS
  • SSL server certificates
  • Symmetric key cryptography
  • trust

ACM Certificate Characteristics

  • Domain Validation (DV)
  • Validity Period
  • Managed Renewal and Deployment
  • Browser and Application Trust
  • Multiple domain names
  • Wildcard names
  • Algorithms

Services Integrated with AWS Certificate Manager

  • Elastic Load Balancing
  • Amazon CloudFront
  • AWS Elastic Beanstalk
  • Amazon API gateway
  • AWS cloud formation

Importing Certificates into AWS Certificate Manager

  • In addition to requesting SSL/TLS certificates provided by AWS Certificate Manager (ACM), you can import certificates that you obtained outside of AWS.
  • You might do this because you already obtained a certificate from a third-party issuer, or because the certificates provided by ACM do not meet your requirements.

Tagging AWS Certificate Manager Certificates

  • A tag is a label that you can assign to an ACM Certificate.
  • You can create custom tags that suit your needs.
  • Tag Restrictions

○The maximum number of tags per ACM Certificate is 50.

○The maximum length of a tag key is 127 characters.

○The maximum length of a tag value is 255 characters.

○Tag keys and values are case sensitive.

Authentication

  • Access to ACM requires credentials that AWS can use to authenticate your requests.
  • You can access AWS as any of the following types of identities:

○AWS account root user

○IAM user

○IAM role

Access Control

  • You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access ACM resources.
  • Every AWS resource belongs to an AWS account, and permissions to create or access the resources are defined in permissions policies in that account.
  • In ACM, the primary resource is a certificate. Certificates have unique Amazon Resource Names (ARNs) associated with them.
  • IAM offers the following types of identity–based policies:
  • ○AWS–managed policies■Policies that are created and managed by AWS.

    ■These are standalone policies that you can attach to multiple users, groups, and roles in your AWS account.

    ○Customer–managed policies

    ■Policies that you create and manage in your AWS account and which you can attach to multiple users, groups, and roles.

    ○Inline policies

    ■Policies that you create and manage and which you embed directly into a single user, group, or role.

ACM Private Key Security

  • When you request a certificate, AWS Certificate Manager (ACM) generates a public/private key pair.
  • The process works like this:

○Creation of an AWS-managed customer master key (CMK) in AWS KMS with the alias aws/acm.

○Encryption of the certificate’s private key using CMK

○Sending of the certificate and the encrypted private key to the load balancer or distribution.

○Decryption of the private key by the load balancer or distribution.

○Disassociation of certificate from the load balancer or distribution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s