- Handles the complexity of creating and managing SSL/TLS certificates for your AWS based websites and applications.
- You use certificates provided by ACM (ACM Certificates) or certificates that you import into ACM.
- Certificate Authority
- Domain Name System
- Domain Name
- Encryption and decryption
- Public key infrastructure
- Root certificate
- Secure sockets layer
- Secure HTTPS
- SSL server certificates
- Symmetric key cryptography
ACM Certificate Characteristics
- Domain Validation (DV)
- Validity Period
- Managed Renewal and Deployment
- Browser and Application Trust
- Multiple domain names
- Wildcard names
Services Integrated with AWS Certificate Manager
- Elastic Load Balancing
- Amazon CloudFront
- AWS Elastic Beanstalk
- Amazon API gateway
- AWS cloud formation
Importing Certificates into AWS Certificate Manager
- In addition to requesting SSL/TLS certificates provided by AWS Certificate Manager (ACM), you can import certificates that you obtained outside of AWS.
- You might do this because you already obtained a certificate from a third-party issuer, or because the certificates provided by ACM do not meet your requirements.
Tagging AWS Certificate Manager Certificates
- A tag is a label that you can assign to an ACM Certificate.
- You can create custom tags that suit your needs.
- Tag Restrictions
○The maximum number of tags per ACM Certificate is 50.
○The maximum length of a tag key is 127 characters.
○The maximum length of a tag value is 255 characters.
○Tag keys and values are case sensitive.
- Access to ACM requires credentials that AWS can use to authenticate your requests.
- You can access AWS as any of the following types of identities:
○AWS account root user
- You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access ACM resources.
- Every AWS resource belongs to an AWS account, and permissions to create or access the resources are defined in permissions policies in that account.
- In ACM, the primary resource is a certificate. Certificates have unique Amazon Resource Names (ARNs) associated with them.
- IAM offers the following types of identity–based policies:
- ○AWS–managed policies■Policies that are created and managed by AWS.
■These are standalone policies that you can attach to multiple users, groups, and roles in your AWS account.
■Policies that you create and manage in your AWS account and which you can attach to multiple users, groups, and roles.
■Policies that you create and manage and which you embed directly into a single user, group, or role.
ACM Private Key Security
- When you request a certificate, AWS Certificate Manager (ACM) generates a public/private key pair.
- The process works like this:
○Creation of an AWS-managed customer master key (CMK) in AWS KMS with the alias aws/acm.
○Encryption of the certificate’s private key using CMK
○Sending of the certificate and the encrypted private key to the load balancer or distribution.
○Decryption of the private key by the load balancer or distribution.
○Disassociation of certificate from the load balancer or distribution.