Managing Certificates with AWS Certificate Manager
SSL CERTIFICATES AND THE AWS ECOSYSTEM
The Basics
About Me
DevOps@RajeshKumar.XYZ
“The average global 5,000 company spends about $15 million to recover from the loss of business due to a certificate outage -- and faces another $25 million in potential compliance impact.”
csoonline.com
Course Modules
- SSL Certificates and the AWS Ecosystem
- Introduction to the AWS Certificate Manager
- Implementing Certificates
- Operations and Troubleshooting
Scenario: Animal Rescue Nonprofit
Proposed Infrastructure
SSL Certificate FAQ
Common AWS Offerings That
Support SSL
Certificate Ownership
|
|
|---|
What We Will Learn:
- What is AWS Certificate Manager?
- Which services does it support?
- How can we use it?
- Follow along with our animal rescue nonprofit as we secure their site!
Introduction to the AWS Certificate Manager
Module Overview
- Benefits of managed SSL certificates
- Workflows
- Integrated services
- Demo: Creating a Certificate
Benefits of AWS Managed SSL Certificates
Business Impact for wolfcreekdogrescue.com
- No cost for certificate procurement
- No cost for certificate renewal
- No operational overhead
- Very quick turnaround
Workflow: Requesting a Certificate
Workflow: Requesting a Certificate
Workflow: Managing Certificates
Workflow: Deploying Certificates
Handled in the individual services
Which services itegrate with ACM?
Services Integrated with ACM
ACM Limitations
- No access to SSL certificates
- Cannot download
- No choice on key size
- No third-party integration
- Create a new certificate using ACM
- Using our nonprofit animal rescue
Summary
- Managed service for SSL certificates reduces operational overhead
- Tradeoff: convenience vs. flexibility
- Next Up: Implementing Certificates
Implementing Certificates
Module Overview
- Recap of proposed architecture
- Comparison of ELB and Cloud Front
- Demo: add certificate to ELB
- Demo: add certificate to CloudFront
Proposed Infrastructure
Comparison of Services
|
|
|---|
Why Choose SSL on ELB?
- Direct integration with EC2 web server
- Ramp-up with autoscaling
- Keep services geographically close
Why Choose SSL on Cloud Front?
- Cost effective global reach
- Cache static assets via multiple origins
- DDoS protection
- Add certificate to ELB
- Assuming pre-existing ELB in place
- Assuming no existing SSL termination
- Add certificate to CloudFront
- Assuming pre-existing CF distribution
Summary
- ACM is simple!
- Benefits for both ELB and Cloud Front
- Use them together!
- Next Up: Operations and Troubleshooting
Operations and Troubleshooting
Module Overview
- Operations: all AWS, all the time
- Troubleshooting FAQ
- Course recap
Operations: Shared Responsibility
|
|
|---|
Behind the Scenes: Service Integration with ELB
Troubleshooting 1/4
Why didn’t I receive the approval request email?
Check spam folder
Registrar Privacy Protection enabled?
Troubleshooting 2/4
Why isn’t my ssl certificate being used for cipher XXX?
Verify that cipher is enabled in the ELB or CloudFront
Troubleshooting 3/4
Why is my page showing an SSL warning for site name
X.Y.domain.com?
Wildcard cert for *.domain.com isn’t valid
Troubleshooting 4/4
Why did my certificate request fail?
Blacklisted domain
Invalid public domain
AWS-owned domain
Module Summary
- Operations: AWS does all the work
- Troubleshooting: check the AWS docs
Course Wrap Up
- ACM: easy to use
- ACM: only 2 integration points
- WCDR: no effort spent learning a new service!
- WCDR: low cost solution
- WCDR: focus on core competency!
Questions?
