AWS Certificate Manager | General Flashcards
What is AWS Certificate Manager (ACM)?
General
AWS Certificate Manager | Security, Identity & Compliance
AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet. ACM removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With ACM, you can request a certificate, deploy it on AWS resources such as Elastic Load Balancers, Amazon CloudFront distributions, or APIs on Amazon API Gateway, and let AWS Certificate Manager handle certificate renewals. You can also import third-party certificates into ACM and associate them with supported AWS Services. SSL/TLS certificates provisioned through ACM are free. You pay only for the AWS resources you create to run your application.
What is an SSL/TLS certificate?
General
AWS Certificate Manager | Security, Identity & Compliance
SSL/TLS certificates allow web browsers to identify and establish encrypted network connections to web sites using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are used within a cryptographic system known as a public key infrastructure (PKI). PKI provides a way for one party to establish the identity of another party using certificates if they both trust a third party- known as a certificate authority. The Concepts topic in the ACM User Guide provides additional background information and definitions.
What can I do with AWS Certificate Manager?
General
AWS Certificate Manager | Security, Identity & Compliance
You can request and provision SSL/TLS certificates and use services integrated with ACM – such as Elastic Load Balancing, Amazon CloudFront, or Amazon API Gateway – to deploy certificates to your website or application. Once you validate ownership of the requested domain and the certificate is issued, you can select the SSL/TLS certificate from a drop-down list in the AWS Management Console to deploy it. Alternatively, you can deploy certificates provided by ACM to AWS resources using AWS Command Line Interface (CLI) commands or API calls. ACM manages certificate renewals and certificate deployment for you.
What are the benefits of using AWS Certificate Manager?
General
AWS Certificate Manager | Security, Identity & Compliance
ACM makes it easier to enable SSL/TLS for a website or application on the AWS platform. ACM eliminates many of the manual processes previously associated with using and managing SSL/TLS certificates. ACM can also help you avoid downtime due to misconfigured, revoked, or expired certificates by managing renewals. You get SSL/TLS protection and easy certificate management. Enabling SSL/TLS can help improve the search rankings for your site and help you meet regulatory compliance requirements for encrypting data in transit.
To validate that you own or control the domain name in your certificate, ACM uses either DNS validation or email validation based on your selection when you request a certificate. With DNS validation, you simply write a CNAME record to your DNS configuration to establish control of your domain name. To further simplify the DNS validation process, the ACM management console can configure DNS records for you if you manage your DNS records with Amazon Route 53. This makes it easy to establish control of your domain name with a few mouse clicks. Once the CNAME record is configured, ACM can automatically renew DNS-validated certificates before they expire, as long as the DNS record remains in place and the certificates are in use. Renewals are fully automatic and touchless. ACM also supports email validation for customers who don’t have the ability to update the DNS configuration for their domain.
When you use ACM, certificate private keys are securely protected and stored using strong encryption and key management best practices. ACM lets you use the AWS Management Console, AWS CLI, or AWS Certificate Manager APIs to centrally manage all of the SSL/TLS certificates provided by ACM in an AWS Region. ACM is integrated with other AWS services, so you can request an SSL/TLS certificate and provision it with your Elastic Load Balancing load balancer or Amazon CloudFront distribution from the AWS Management Console, through AWS CLI commands, or with API calls.
How can I get started with ACM?
General
AWS Certificate Manager | Security, Identity & Compliance
To get started with AWS Certificate Manager, navigate to Certificate Manager in the AWS Management Console, and use the wizard to request an SSL/TLS certificate by entering the name of your site. You can also request a certificate using the AWS CLI or API. After ACM receives approval from the domain owner and the SSL/TLS certificate is issued, you can use it with other AWS services that are integrated with ACM. For each integrated service, you simply select the SSL/TLS certificate you want from a drop-down list in the AWS Management Console. Alternatively, you can execute an AWS CLI command or call an AWS API to associate the certificate with your resource. The integrated service then deploys the certificate to the resource you selected. For more information about requesting and using certificates provided by AWS Certificate Manager, visit Getting Started in the AWS Certificate Manager User Guide.
Why does ACM validate domain ownership?
General
AWS Certificate Manager | Security, Identity & Compliance
Certificates are used to establish the identity of your site and secure connections between browsers and applications and your site. To issue a publicly trusted certificate, Amazon must validate that the certificate requestor has control over the domain name in the certificate request.
How does ACM validate domain ownership before issuing a certificate for a domain?
General
AWS Certificate Manager | Security, Identity & Compliance
Prior to issuing a certificate, ACM validates that you own or control the domain names in your certificate request. You can choose DNS validation or email validation when requesting a certificate. With DNS validation, you can validate domain ownership by adding a CNAME record to your DNS configuration. Refer to DNS validation for further details. If you do not have the ability to write records to the public DNS configuration for your domain, you can use email validation instead of DNS validation. With email validation, ACM sends emails to the registered domain owner, and the owner or an authorized representative can approve issuance for each domain name in the certificate request. Refer to Email validation for further details.
Which validation method should I use: DNS or email?
General
AWS Certificate Manager | Security, Identity & Compliance
We recommend that you use DNS validation if you have the ability to change the DNS configuration for your domain. Customers who are unable to receive validation emails from ACM and those using a domain registrar that does not publish domain owner email contact information in WHOIS should use DNS validation. If you cannot modify your DNS configuration, you should use email validation.
Can I convert an existing certificate from email validation to DNS validation?
General
AWS Certificate Manager | Security, Identity & Compliance
No, but you can request a new, free certificate from ACM and choose DNS validation for the new one.
What type of certificates does ACM provide?
General
AWS Certificate Manager | Security, Identity & Compliance
ACM provides Domain Validated (DV) certificates for use with websites and applications that terminate SSL/TLS. For more details about certificates provided by ACM, see Certificate Characteristics.
With which AWS services can I use certificates provided by ACM?
General
AWS Certificate Manager | Security, Identity & Compliance
You can use ACM with the following AWS services:
- Elastic Load Balancing – Refer to the Elastic Load Balancing documentation
- Amazon CloudFront – Refer to the CloudFront documentation
- Amazon API Gateway – Refer to the API Gateway documentation
- AWS Elastic Beanstalk – Refer to the AWS Elastic Beanstalk documentation
- AWS CloudFormation – Refer to the AWS CloudFormation documentation
In what Regions is ACM available?
General
AWS Certificate Manager | Security, Identity & Compliance
Please visit the AWS Global Infrastructure pages to see the current Region availability for AWS services. To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
Can I use the same certificate in more than one AWS Region?
General
AWS Certificate Manager | Security, Identity & Compliance
It depends on whether you’re using Elastic Load Balancing or Amazon CloudFront. To use a certificate with Elastic Load Balancing for the same site (the same fully qualified domain name, or FQDN, or set of FQDNs) in a different Region, you must request a new certificate for each Region in which you plan to use it. To use an ACM certificate with Amazon CloudFront, you must request the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
Can I copy a certificate between Regions?
General
AWS Certificate Manager | Security, Identity & Compliance
Not at this time.
Can I provision a certificate with ACM if I already have a certificate from another provider for the same domain name?
General
AWS Certificate Manager | Security, Identity & Compliance
Yes.