This chapter is from the book
This chapter is from the book
This chapter is from the book
AWS Certificate Manager
AWS Certificate Manager (ACM) is a managed service that allows you to provision, manage, and deploy public and private SSL/TLS certificates that can be used with your AWS services and AWS-hosted websites and applications. Certificates can also be deployed on ELB load balancers, CloudFront distributions, Elastic Beanstalk, and APIs hosted on Amazon API Gateway. There is no additional charge for provisioning public or private SSL/TLS certificates for use with AWS services. However, organizations will pay a fee for creating and operating a private certificate authority (CA) and for the private certificates that are issued by the private CA that is used by your internally hosted resources, such as application servers or appliances.
ACM can generate the following certificate types (see Figure 5-18):
Public certificates: ELB port 443 traffic, CloudFront distributions, and public-facing APIs hosted by Amazon API Gateway all use public certificates. Use AWS Certificate Manager to request a public certificate for a domain name for your site. AWS Certificate Manager validates that you own or control the domain name in your certificate request. Validation options include DNS validation and email validation.
Private certificates: Delegated private certificates are managed by an AWS Certificate Manager–hosted private CA, which can automatically renew and deploy certificates for private-facing Amazon ELB and Amazon API Gateway deployments. Private certificates can also secure Amazon EC2 instances, Amazon ECS containers, and IoT devices.
Imported certificates: Third-party certificates can be imported into AWS Certificate Manager.
CA certificates: Certificates can be issued for creating a private CA up to five levels deep, including a root CA, three levels of subordinate CAs, and a single issuing CA.
)
Figure 5-18 Certificate Choices in AWS Certificate Manager
Encryption in Transit
AWS uses HTTPS endpoints communication, providing encryption in transit for communicating with AWS APIs. AWS service endpoints can also be accessed using TLS version 1.2. Some AWS services offer endpoints that support the Federal Processing Standard (FIPS) 140-2 in some regions. Each endpoint is the URL of the entry point for each AWS service. AWS SDKs and the AWS Command Line Interface (AWS CLI) automatically use the default endpoint for each service per AWS Region, but an alternative endpoint can be specified for API requests. Most AWS services have regional endpoints that can be used to make requests. The format for a regional endpoint is protocol://service-code.region-code.amazonaws.com. AWS endpoints can be referenced here: https://docs.aws.amazon.com/general/latest/gr/aws-service-information.html.
Global endpoints are used for global services and services located in edge locations. The global AWS services are
Amazon CloudFront
AWS Global Accelerator
AWS Identity and Access Management (IAM)
AWS Organizations
Amazon Route 53
AWS Shield Advanced
AWS WAF Classic
HTTP endpoints for domains and hosted workloads hosted at AWS can be be blocked with Security Groups and Network ACLs and can automatically be redirected to HTTPS endpoints when using Amazon CloudFront or an Amazon ELB.