PKI – Amazon Web Services (AWS)

Global Public Cloud market size is expected to reach $488.5 billion by 2026 as per a research study conducted by www.businesswire.com and there will be a predicted 16% CAGR market growth during the forecasted time period. This triggers the immediate need to shift our focus on “Cloud Security”. Let’s deep dive into the Public Key Infrastructure (PKI) in Amazon Web Services (AWS) Cloud.

Let us understand PKI in AWS:

ACM stands for AWS Certificate Manager. Just like any Certificate Manager, ACM provides convenient options for cloud service users to create, manage and deploy public and private SSL/TLS X.509 certificates and keys. These certificates provide authentication of identity of websites as well as private resources and protection for sensitive data hosted on Amazon Web Services platform. AWS services supported certificates can be provided either by directly issuing with ACM or by importing third party certificates to ACM management system.

Services offered through ACM in AWS:

Amazon provides two options for customers to deploy SSL/TLS X.509 certificates. Depending on the business requirement customers can choose from the below options.

• ACM Certificate Manager (ACM) : This service is targeted for customers who need secure web existence using TLS certificates. ACM deploys certificates using AWS services – Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway, and other integrated services. Enterprises with secure public website with significant web traffic can prefer this certificate management service
• ACM Private CA – This service is most suited for small and medium enterprise customers who desire to build their own Public Key Infrastructure (PKI) with in AWS Cloud and projected for private use within the organization. Within private CA users can create their own CA hierarchy and issue certificates for authenticating internal users, applications, services, devices etc.Note : Certificates issued using Private CA cannot be used on internet

ACM Certificate Characteristics:

Public certificates provided by ACM have the characteristics described in this section. These characteristics only apply to certificates provided by ACM and might not apply to certificates imported to ACM:

Serial No.		Characteristics
1	Domain Validation (DV)	ACM Certificates are domain validated. Subject field of an ACM Certificate identifies a domain name. Ownership can be validated using email or DNS
2	Validity Period for Certificates	13 months
3	Managed Renewal and Deployment	Automatic renewal and provisioning of certificates by ACM
4	Browser and Application Trust	ACM certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. ACM Certificates are also trusted by Java
5	Multiple Domain Names	Each ACM certificate must include one Fully Qualified Domain Name (FQDN) and additional names can be added further
6	Wildcard Names	ACM allows to use an (*) asterisk in domain name to create an ACM certificate that can protect several sites in the same domain
7	Algorithms	Public key algorithms supported by ACM:   2048-bit RSA (RSA_2048) 4096-bit RSA (RSA_4096) Elliptic Prime Curve 256 bit (EC_prime256v1) Elliptic Prime Curve 384 bit (EC_secp384r1)

AWS Certificate Manager Pricing:

1. Public SSL/TLS certificates provisioned through AWS Certificate Manager are free of cost. Customer needs to pay only for AWS resources created to run application/services.
2. ACM Private CA is priced along two stages
   1. Monthly fee of $400 for each ACM private CA until it is deleted
   2. Customer pays a one-time fee when certificates are issued from ACM Private CA

Please visit Amazon Web Services portal for more details: www.aws.amazon.com

If your organization is looking for implementation of AWS Certificate Authority, please consult [email protected] for further information.