AWS Certificate Management and Private Certificate Authority Deep Dive
AWS Certificate Management and Private Certificate Authority Deep Dive
AWS Certificate Management and Private Certificate Authority Deep Dive
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• AWS Certificate Manager
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Certificate Manager (ACM)
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Example: ACM with Elastic Load Balancing
• Public certificates requested with ACM
• Deployed on ELB
• ACM manages renewal and deployment
AWS Cloud
Public TLS
Secure TLS/SSL server
connection certificate
devices
AWS
TLS/SSL Instances
Certificate
Manager
users Amazon
Public CA
Public TLS
server
certificate
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What’s new
• DNS Validation (Nov 2017) – Validate your domain by writing DNS
CNAME record to your DNS configuration
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM compliance for data privacy and protection
• HIPAA Eligible - The standard for sensitive patient data protection
• AICPA SOC 1, 2, and 3 – Provides deep insight into ACM’s security processes and
controls
• PCI DSS – The technical and operational requirements for protection of cardholder data
• ISO 9001, 27001, 27017, and 27018 – Among the most recognized global security
standards
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Private CA
• ACM Private CA is a fully managed private CA
• Avoids the complexity of managing a CA yourself
• Operates as a standalone CA or together with ACM for certificate mgmt
• Certificates are trusted within your organization
AWS Cloud Amazon Elastic On-premises Infrastructure
Compute Cloud
(Amazon EC2)
AWS
Resources
Devices
ACM
Private CA
Servers
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Private CA setup and hierarchy
Existing CA Infrastructure
• Create a Private CA
Root CA Root CA
• Establish chain of trust to existing Certificate
root CA Intermediate
• Export CSR and sign with a parent CA Intermediate CA CA Certificate
ACM
Private CA
device/resource
certificates
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing with private TLS server certificates
Private or public certificates managed with ACM
Enterprise
ACM manages renewal and deployment Root CA
AWS Cloud
ACM
Private CA
Amazon Simple
Storage Service
(Amazon S3)
CRL bucket
Private TLS
AWS server
Instances Certificate certificate
Manager
Amazon
Public CA
Public TLS
server
certificate
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing with private TLS server certificates
Enterprise
Root CA
AWS Cloud
ACM
Private CA
Amazon S3
CRL bucket
2
1 Request Issue TLS server
certificate certificate certificate
AWS
Instances Certificate
Manager
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing with private TLS server certificates
Enterprise
Root CA
AWS Cloud
4 Secure TLS/SSL
connection ACM
Private CA
Amazon S3
CRL bucket
devices
2
1 Request Issue
certificate certificate
AWS
TLS/SSL Instances Certificate
Manager TLS server
certificate
3 Deploy
users certificate
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elastic Load Balancing with private TLS server certificates
Enterprise
Root CA
AWS Cloud
4 Secure TLS/SSL
connection ACM
TLS server Private CA
Amazon S3
certificate CRL bucket
devices
2
1 Request Issue
certificate certificate
AWS
TLS/SSL Instances Certificate
Manager
3 Deploy
users certificate
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
TLS to your container
IAM Policy to allow container access to PCA
{
“Version”: “2012-10-17”,
Enterprise
“Statement”: [
Root CA
{
Container “Effect”: “Allow”,
“Action”: [
Generate keys 1 “acm-pca:IssueCertificate”,
“acm-pca:GetCertificate”
],
ACM
Private CA
“Resource”: “*”
Generate CSR 2 }
]
}
Call pca::IssueCertificate 3
API
Call pca::GetCertificate 4
API
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certificate-based device authentication
Alexa For Business enables organizations and employees to use Alexa at enterprise scale
Goal: connect Echo devices to an existing enterprise WPA2 wireless network
Auth Server
(RADIUS)
Device
certificate
Echo
Alexa For
Business
Device Setup
Tool
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certificate-based device authentication
Standalone Private CA issuing unmanaged certificates
ACM does not manage renewals and deployment
Enterprise
Root CA
ACM
Private CA
Amazon S3
CRL bucket
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certificate-based device authentication
Device Setup Tool provisions device certificates using ACM Private CA
Administrator must grant permission to use the Private CA with an AWS Identity and Access
Management (IAM) policy
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certificate-based device authentication
Device Setup Tool issues and deploys certificates to Echo devices
Auth Server
(RADIUS)
Enterprise
Root CA
Echo
ACM
Private CA
Amazon S3
CRL bucket
1
Alexa For Issue Device
Business Certificate certificate
Device Setup
Tool 2
GetCertificate
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remote devices using encrypted IPSec VPNs
Enterprise
Root CA
ACM
Private CA
Amazon S3
CRL bucket
IPSec VPN
IPSec certificate
Instance
IPSec Client Tunnel running IPSec
Server
Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Remote devices using encrypted IPSec VPNs
Enterprise
Root CA
ACM
Private CA
IPSec VPN Amazon S3
IPSec VPN CRL bucket
certificate
certificate
IPSec
Instance
IPSec Client Tunnel running IPSec
Server
Internet
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
“We use ACM Private Certificate Authority (CA) to issue certificates to ensure
secure connections from our sensors to our purpose-built Security
Operations Center platform that runs in AWS.”
Michael Hart
Director Infrastructure Engineering,
Arctic Wolf Networks
Learn more
ACM Documentation
https://amzn.to/AWSCertificateManagerDocs
ECS Containers
https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
Compliance
https://aws.amazon.com/compliance/
https://aws.amazon.com/compliance/services-in-scope/
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Todd Cignetti and Ram Ramani
[email protected]
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Q&A
Private CA FAQs
• Standalone versus managed certificates
• How can I chain a Private CA up to my enterprise root CA?
• Revocation
• Auditing
• Logging
• TLS/SSL for back-end connections from ELB to instance or container
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customization for Standalone Certificates
Private
Certificate
Custom
Resource Names
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Managed versus Unmanaged Certificates
ACM-Managed Certificates Unmanaged
Certificate private keys ACM generates and manages the private key Customer generates and manages the private key
Certificate subject/SANs Valid DNS names only Any valid X.509 subject/SANs
Export Available for private certificates n/a – Customer manages the private keys and certs
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Private CA
Flexibility to Customize
Private Certificates Pay as You Go Pricing
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.