AWS Certificate Manager (ACM) – Best Practices

What is AWS Certificate Manager (ACM)?

ACM is Amazon’s Certificate Manager offered as a service for its cloud customers. ACM provides its users with options to create, manage and deploy certificates (both public and private). AWS Certificate Manager Private Certificate Authority service enables small and medium enterprises to build and own Public Key Infrastructure (PKI) with in AWS cloud platform. AWS services such as Elastic Load Balancers, Amazon CloudFront distributions, Elastic Beanstalk, and AWS API Gateway are equipped to use AWS Certificate Manager Service.

For more detailed information on AWS Certificate Manager (ACM), please read our blog article

AWS ACM Best Practices:

Following best practices for ACM services help organizations in conforming to audit processes and also ensure compliance with several security laws, standards and regulations such as
Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST), Australian Prudential Regulatory Authority (APRA) etc.

Here are top 10 best practices we identified for AWS Certificate Manager (ACM):

1. ACM Certificate expiry check: One of the best practices to be followed in order to adhere to security standards is to ensure removal of expired SSL/TLS certificates managed by ACM. This eliminates the risk of deploying an invalid SSL/TLS certificate in resources which trigger error in front end. This might cause loss of credibility for business as well.
2. ACM Certificate validity check: Ensure requests arrived during SSL/TLS certificate issue or renewal process are validated regularly. ACM certificate requests become invalid when not validated within 72 hours of request initiation. Application services might be interrupted during the process of new certificate requesting process.
3. Root Certificate Authority (CA) usage: As per Amazon recommendation, it is always a best practice to minimize the use of root CA. Instead an intermediate CA can be created to perform daily activities of issuing certificates to endpoints and in turn root CA can issue certificates to intermediate CAs. This way root CA can be protected from direct exposure during any attacks. Also, providing a separate accounts for root CA and intermediate CAs is a recommended best practice.
4. Use of SSL vs TLS:Transport layer protection is very important to ensure security. Use only TLS version 1.1 or above and do not use SSL as it is not considered secure anymore.
5. Private keys (SSL/TLS) protection: Whenever you import certificates instead of ACM issued certificates, ensure keys used to generate SSL/TLS certificate private keys has high key strength to avoid data breach.
6. Avoid using SSL wildcard domain certificates: Avoid using wildcard domain certificates instead try to issue ACM single domain certificate for each domain and subdomain with its own private key. Whenever there is a breach or hack performed on wildcard certificates, all the domains and sub domains linked are compromised causing greater security concern.
7. Usage of imported certificates: Allow usage of imported certificates only from authenticated and trusted partners of your organization in ACM. When wildcard certificates are imported into AWS Certificate Manager (ACM), security threat risk is high as the user might hold an unencrypted copy of certificate’s private key.
8. Fully qualified domain name: :One of the common mistakes organizations commit is using alias in certificates. Recommended best practice is to always use a Fully Qualified Domain Name (FQDN) in SSL/TLS ACM certificates.
9. Perform audit of SSL/TLS certificates: To avoid misuse of generated certificates, perform frequent audits of AWS environment for trusted certificates and validate audit report.
10. Turn on AWS CloudTrail and CloudWatch alarms: CloudTrail logging helps in tracking history of AWS API calls and monitoring AWS deployments. CloudTrail can be integrated with applications for performing automated logging and monitoring activities. Enabling CloudWatch alarm feature helps in alerting through notifications when configured metrics breach.

If your organization is looking for implementation of AWS Certificate Authority, please consult [email protected] for further information.BYOK allows organizations to encrypt data inside cloud services with their own keys — and maintained within the cloud providers’ vaults — while still continuing to leverage the cloud provider’s native encryption services to protect their data. Win win.