AWS Security Best Practices — Amazon Certificate Manager aka ACM— #CloudSecurity

Where are SSL/TLS certificates in AWS?

If this is the first post you are reading in the #CloudSecurity series, Welcome! :) You will find some of the other topics covered under #CloudSecurity by me interesting too. Please feel free to follow my medium profile to see the remaining Cloud Security articles and be updated on upcoming posts on the same topic. I love connecting and talking security so do head to www.ashishrajan.com and connect with me to continue the conversation. Ok, back to the post.

If you prefer consuming educational content in video format, I have you covered. For everyone else keep reading.

From this point onwards, I assume that you have basic working knowledge of SSL/TLS, AWS to be able to create an AWS Account and can search services in AWS Console to use them. If you don’t and would want me to point you to resources that can help, feel free to comment and I can point you to them.

Background

These days it’s uncommon to not see the green lock symbols on everyday websites that one would visit. The green lock is used to — authenticate and verify you are talking to the right source or website and that your communication with the website on an encrypted network. Average user doesn’t have to worry about this unless we are talking Online Banking or Credit card payment websites.

Every now and then you would find that a website with one of the following certificate warning messages, which is linked to the SSL/TLS certificate used on the site. Some of the root causes for this include — Use of untrusted certificate for public websites or forgetting to renew the certificates or revoked exiting certificates due to malicious activity etc. These are easily solved problems but cost the organisation customer trust and some times a potential press releases. Fortunately, there is a change coming to minimise this error, well atleast in the cloud space. We are talking about AWS Certificate Manager (ACM). Let’s unravel shall we?

Image courtesy: https://www.sslshopper.com

What is AWS Certificate Manager (ACM)?

ACM is a managed service from AWS to provision, manage and deploy public and private SSL/TLS certificates for use with AWS services. The AWS services are currently equipped to use ACM service are — Elastic Load Balancers, Amazon CloudFront distributions, Elastic Beanstalk, and AWS API Gateway to enable one-way SSL to APIs.

Why would you want to use ACM?

  • AWS Managed Service: Let’s start with solving encryption in transit for dynamic AWS resources by automating certificate generation using a hardware module backed certificate authority. Yep, the service backend is manage by AWS so no more Certificate Authority (CA) server management in AWS.
  • Asset Management of Certificates is easier — Central place to accurately manage all the SSL/TLS certificates being used in all your AWS accounts.
  • Meet Compliance requirement — Encryption in Transit is definitely a tick with the use of SSL/TLS certificates on all endpoints.
  • IAM Control for access to Certificates — If you intend to use AWS IAM to control the use of AWS ACM SSL/TLS certificates in your AWS accounts. You should think of this anyways.
  • SANs Certificates — Managing multiple websites SSL/TLS certificates on load balancers, especially if you are service provider.
  • Support for wildcard or multi-domain certificates at scale: Non-production environments can be issued certificte with automation on the AWS supported services. This would mean developers can focus on writing the code instead of waiting for SSL/TLS certificates to be issued.
  • Lower security risk faster — Ensuring trusted public/private certificates using strong industry recommended cryptographic algorithms with strong key size and no self-signed SSL/TLS certs lower the security risk of the organisation.
  • Auditability — All API calls for requests to ACM are captured in CloudTrial. You can also easily report on all the certificates created and issued to keep a check on what only authorised certificates are in use.
  • Central Revocation list — It is possible to share a SSL/TLS certificate revocation list with all the Certificate Users in your entire AWS environment across all your AWS Accounts from a central place which will be an S3 bucket in this case.
  • Ability to respond faster to certificate request — ACMs are API enabled like other AWS services and are renewed automatically or through script depending on how you want to do it. More ways to say Yes here you go to developer team. Hooray for Security!
  • Low operational cost — No need to purchase, upload or renew SSL/TLS certificates. AWS manages that for all your AWS issued certificates in ACM and all the public SSL/TLS certificates issued by AWS are free. Talk about managed certificate service which doesn’t cost money. NOTE: This would need to be automated using script if you are importing your certificates into ACM instead of using AWS issued ones.
  • Easy to scale a standard way of certificates with automation in minutes: The entire SSL/TLS lifecycle can be managed automatically and config controlled with AWS Cloudformation which means developers/DevOps engineers can integrate this service as part of their building process.
  • Cost of certificate: Public SSL/TLS certificates issued by AWS are free. Private certificate have a monthly charge per region.

Where would you not want to use AWS ACM?

  • If you pin SSL/TLS certificates then auto-renew feature of ACM will not be useful and may even crash your app.
  • PCI compliance requirement to terminate on endpoint destined for a SSL/TLS connection and not anywhere else means ELB is simply in pass through mode.
  • If you use a CDN which not in the AWS family of supported services then you have to manage two sets of SSL/TLS certs (one just for AWS services and another for the other provider)
  • If you cannot comply with AWS ACM prerequisites or certificate format then you cannot import certificates into ACMs.
  • If you are a mature organisation with a mature and possibly automated process for managing certificates across your organisation, you wouldn’t need to worry about updating this. You can still however, import your certificate into ACM to use on ACM integrated services.
  • If you are a governed body with compliance policies to use on-prem hosted infrastructure for certificate generation and lifecycle management.
  • If your internal applications are not able to support the cryptographic standards used on AWS ACMs
  • If you public facing application requires an Extended Validation(EV) or Organisational Validation(OV) SSL certificates
  • There are no Service Level Agreements (SLAs) for ACM so if you want to control the availability of your CA certification server.
  • You cannot export ACM private keys and if you require them then this is not for you
  • You can confidently manage the lifecycle of certificates for your company certificates imported into AWS resources without using ACM.
  • You should not use it to replace your on-prem or other cloud hosted Certificate authority unless you plan to use AWS issued private certificates in your on-prem environment. It is never a good idea to bring an external certificate authority issued certificates into your on-prem environment.
  • If you want to use certificates for non SSL/TLS protocol communication
  • You cannot use ACMs for email encryption
  • AWS does not allow site seal to highlight that the site is protected by AWS.

Use Cases

  • SSL/TLS termination on Elastic Load Balancers(ELBs) for your public endpoints where the backend is talking HTTP to ELBs.
  • TLS terminate and renogitiate where it is end to end HTTPS all through out the communication.
  • Accelerating the lifecycle of SSL/TLS certificates in your AWS infrastructure
  • Supporting — encryption in transit through the use of Domain Validated and trusted customer imported certificates
  • Enabling the use of a trusted Certificate Authority in all your AWS Accounts. Goodbye untrusted self signed certificates.
  • Startups or SMBs who don’t already have a Certificate Authority that you already maintain should look into ACM and enable HTTPS at minimum on all your public endpoints.
  • If you need a cloud ready i.e flexible and agile certificate authority for your ever changing cloud environment.

Cost

AWS issued public certificates are free for use. However, the AWS issued private certificates are currently available on a 30 day free trail. After the trial period, the certificates will be costed in ranges of 1–1000 private certificates per region. The cost lowers as the range increases. Another good activity to encourage good security behaviour. Don’t worry, even 1–1000 is in cents per month per region. More information here.

NOTE: The AWS services using the ACM services are charged as usual. The of ACM private certs is on top of cost, which you would have to pay probably a lot more for if you were using a Certificate Authority within the organisation.

Best Practices

  • Strong Transport Layer protection: Use only TLS version 1.1 or greater and not use SSL at all as it is not secure anymore. Although TLSv1.3 had a potential attack vector discovered recently.
  • Encryption end to end for all your resources — Use of TLS/SSL for communication means that your customers can easily trust the identity of services offered by you and as a service provider you can preserve the integrity of your communication with your customer and prevent a replay attack on your response to customer requests.
  • Use strong cipher: Keys used to generate the private keys for SSL/TLS certificates should have high key strength incase you are using imported certificates instead of AWS ACM issued certificates. Look here for things OWASP recommended TLS practices
  • Identity the CSR or Certificate request frequency to justify the use of ACM:
    Most mature cloud environments are rebuild quite frequently so based on how frequently you would need to request/revoke SSL/TLS certificates you would need to reconsider using ACM. The current limit is 1000 certificates in a year but can be raised on request. However, is it a good thing if each environment uses over 1000 SSL/TLS certificates?
  • Central Certification Management process for your organisation: Integrate the SSL/TLS certitificates used in your AWS environment with your internal certificate management process and products especially if you are managing your internal organisation certificates on your own.
  • Domain Name in Certificates not alias: Use only Fully qualified domain name for DNS in SSL/TLS certificates
  • ACM issued certificates vs domain specific certificates for public facing endpoints— Do not use ACM issued certificates for your production public facing endpoints. The endpoint protected by ACM issued certificate instead of organisation issued certificates will come up as issued by Amazon Web Services instead of your organisation name in the certificate which may lead to your security averse customer not trusting the website.
  • Use of Wildcard domain certificates Use them only for non-prod endpoints which will get rebuild frequently. Versioning can be used to highlight the current version of non-prod in use.
  • Protect the private key Private key used on your TLS/SSL certificates on service like HSM or similar.
  • Frequently audit the creation of SSL/TLS certificates in your AWS environment for only trusted certificates using the Audit report especially if you use a lot of SSL/TLS certificates in your AWS environment. You don’t want to be in a spot where a certificate is generated by someone in your account which gets misused.
  • Only allow the use and import of authorised certificates from your organisation and trusted partners in ACM
  • Use CloudFormation to generate and manage SSL/TLS certificates configuration automatically at scale
  • Use Tagging to manage SSL/TLS certificates at scale to identify information related to the certificate — owner for lifecycle, team issued for, type of application this certificate should be used for etc
  • Trust but verify — revocation list is shared via S3 bucket and should have restricted IAM role access to limit who can update the revocation list
  • Use IAM roles to restrict access to SSL/TLS lifecycle, if required.
  • Raise CloudWatch alarms on Cloud Trail API calls for new certificate requests for domains other than your company domain and for deletion of existing production certificate api activity.

Conclusion

If you don’t have a certificate authority currently and rely on a third party to issue you SSL/TLS certificates for your AWS hosted resources do consider the use cases listed above for your particular use case. The public certificates issued by AWS are free and are integrate by click of a few buttons with AWS services. There should not be any reason why you you should not use this to build a trust for your brand with your customer.

Thank you for your time. Now since you are armed with Good,Bad and Ugly of this AWS service go out in the world and create secure things.

#PeaceOut

Please share any feedback or insight you have about articles in the #CloudSecurity series, feel free to leave a comment or reach out to me on twitter,linkedin, youtube or email mentioned on my website (https://www.ashishrajan.com).

Security expert with a goal to make security an enabler instead of a blocker in the exciting world of cloud and machine learning. www.ashishrajan.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store