AWS Certificate Manager | Managed Renewal and Deployment Flashcards
What logging information is available from AWS CloudTrail?
Managed Renewal and Deployment
AWS Certificate Manager | Security, Identity & Compliance
You can identify which users and accounts called AWS APIs for services that support AWS CloudTrail, the source IP address the calls were made from, and when the calls occurred. For example, you can identify which user made an API call to associate a certificate provided by ACM with an Elastic Load Balancer and when the Elastic Load Balancing service decrypted the key with a KMS API call.
What is ACM managed renewal and deployment?
Managed Renewal and Deployment
AWS Certificate Manager | Security, Identity & Compliance
ACM managed renewal and deployment manages the process of renewing SSL/TLS certificates provided by ACM and deploying certificates after they are renewed.
What are the benefits of using ACM managed renewal and deployment?
Managed Renewal and Deployment
AWS Certificate Manager | Security, Identity & Compliance
ACM manages renewal and deployment of SSL/TLS certificates for you. ACM makes configuring and maintaining SSL/TLS for a secure web service or application more operationally sound than potentially error-prone manual processes. Managed renewal and deployment can help you avoid downtime due to expired certificates. ACM managed renewal and deployment doesn’t require you to install or maintain a software client or agent on your site. Instead, ACM operates as a service that is integrated with other AWS services. This means you can centrally manage and deploy certificates on the AWS platform by using the AWS management console, AWS CLI, or APIs.
Which certificates can be renewed and deployed automatically?
Managed Renewal and Deployment
AWS Certificate Manager | Security, Identity & Compliance
ACM can renew and deploy certificates provided by ACM without any additional validation from the domain owner. If a certificate cannot be renewed without additional validation, ACM manages the renewal process by validating domain ownership or control for each domain name in the certificate. After each domain name in the certificate has been validated, ACM renews the certificate and automatically deploys it with your AWS resources. If ACM cannot validate domain ownership, we will let you (the AWS account owner) know.
If you chose DNS validation in your certificate request, ACM can renew your certificate indefinitely without any further action from you, as long as the certificate is in use (associated with other AWS resources) and your CNAME record remains in place. If you selected email validation when requesting a certificate, you can improve ACM’s ability to automatically renew and deploy certificates provided by ACM, by ensuring that the certificate is in use, that all domain names included in the certificate can be resolved to your site, and that all domain names are reachable from the internet.
When does ACM renew certificates?
Managed Renewal and Deployment
AWS Certificate Manager | Security, Identity & Compliance
ACM begins the renewal process up to 60 days prior to the certificate’s expiration date. The validity period for certificates provided by ACM is currently 13 months. Refer to the ACM User Guide for more information about managed renewal.
Will I be notified before my certificate is renewed and the new certificate is deployed?
Managed Renewal and Deployment
AWS Certificate Manager | Security, Identity & Compliance
No. ACM may renew or rekey the certificate and replace the old one without prior notice.
Can ACM renew certificates containing bare domains, such as “example.com” (also known as zone apex or naked domains)?
Managed Renewal and Deployment
AWS Certificate Manager | Security, Identity & Compliance
If you chose DNS validation in your certificate request, then ACM can renew your certificate without any further action from you, as long as the certificate is in use (associated with other AWS resources) and your CNAME record remains in place.
If you selected email validation when requesting a certificate with a bare domain, ensure that a DNS lookup of the bare domain resolves to the AWS resource that is associated with the certificate. Resolving the bare domain to an AWS resource may be challenging unless you use Route 53 or another DNS provider that supports alias resource records (or their equivalent) for mapping bare domains to AWS resources. For more information, refer to the Route 53 Developer Guide.