Welcome to issue #5 of the โAWS services shortsโ, In each issue, I present to you an AWS service and explore what its strengths and weaknesses are, discover some use cases, and finally what the most common mistakes people are making with it.
Todayโs issue is about AWS Certificate Manager!
If you prefer you can listen to the podcast or watch the video on YouTube!
Introduction
AWS Certificate Manager (ACM) simplifies the provisioning, managing, and deploying SSL/TLS certificates for use with AWS services.
Main Purpose
AWS Certificate Manager was designed to ease the process of managing SSL/TLS certificates for applications running on AWS. Before ACM, managing certificates could be a labor-intensive and error-prone process involving manual steps, regular renewals, and dealing with different certificate authorities.
Docs home: https://docs.aws.amazon.com/acm/
Features: https://aws.amazon.com/certificate-manager/features
FAQs: https://aws.amazon.com/certificate-manager/faqs
Strengths
Automated Renewals
ACM automatically renews certificates before they expire, ensuring that applications using ACM to manage certificates are always using valid certificates.
Cost-Effectiveness
With ACM, there is no additional charge for provisioning public SSL/TLS certificates, which can result in cost savings when compared to purchasing certificates from third-party providers.
Deep Integration with AWS Services
ACM is natively integrated with other AWS services such as Amazon CloudFront, Elastic Load Balancing, and API Gateway, allowing for straightforward deployment of SSL/TLS certificates.
Managed Security
The private keys for certificates managed by ACM are protected and never exposed, ensuring a high level of security for applications.
Support for Private Certificates
When used together with AWS Private Certificate Authority (CA) itโs possible to create and manage private SSL/TLS certificates, providing a fully managed private CA service without the overhead of setting up an in-house CA.
- https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html
- https://aws.amazon.com/private-ca/pricing/
Weaknesses
Limited Scope
Certificates provided by ACM can only be used with specific AWS services and can’t be exported for use elsewhere.
Only certificates created with AWS Private CA (paid service) can be exported.
- https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
- https://docs.aws.amazon.com/acm/latest/userguide/export-private.html
No Multi-region Support
ACM certificates must be requested in each region separately where they are intended to be used.
Use Cases
Web Applications on AWS
For web applications hosted on AWS, especially those using Amazon CloudFront or Elastic Load Balancing, ACM provides an easy way to attach SSL/TLS certificates to the application.
- https://docs.aws.amazon.com/acm/latest/userguide/domain-ownership-validation.html
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
- https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb
- https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html
API Security
For APIs hosted on Amazon API Gateway, ACM can be used to handle SSL/TLS termination.
Internal Communications
With AWS Private CA, companies can create certificates to secure communications between private/internal servers, applications, and devices.
Domain Validated Certificates
Quickly provision domain-validated certificates for domains managed in Amazon Route 53.
Mistakes
Ignoring Regional Restrictions
Not understanding the regional restrictions of ACM and trying to use a certificate across multiple regions. To use a certificate in CloudFront it must be provisioned in US East (N. Virginia).
Overlooking Resource Limits
ACM has certain quotas and limits, like the number of certificates per account. Overlooking these can lead to unexpected roadblocks.
Misunderstanding the Limits of Public Certificates
Assuming ACM public certificates can be used outside of the AWS ecosystem can lead to mistakes in application architecture.
Overlooking Private CAs for Internal Resources
Only focusing on public certificates and overlooking the capabilities of AWS Private CA for internal resources can lead to missed security enhancements.
I hope you find this overview useful!
Did you like it? Too long? To short? Something is missing?
Please let me know with a comment! ๐
Your feedback is truly precious to me ๐
Attributions:
- Icons from https://www.freepik.com
- Music by Sergii Pavkin from Pixabay