Get our experts advice in handling data security issues on the Cloud.

Learn More

    PKI in AWS Cloud

    Blog Post - PKI in AWS Cloud
    8 Aug 2020

    PKI – Amazon Web Services (AWS)

    Global Public Cloud market size is expected to reach $488.5 billion by 2026 as per a research study conducted by www.businesswire.com and there will be a predicted 16% CAGR market growth during the forecasted time period. This triggers the immediate need to shift our focus on “Cloud Security”. Let’s deep dive into the Public Key Infrastructure (PKI) in Amazon Web Services (AWS) Cloud.

    Let us understand PKI in AWS:

    ACM stands for AWS Certificate Manager. Just like any Certificate Manager, ACM provides convenient options for cloud service users to create, manage and deploy public and private SSL/TLS X.509 certificates and keys. These certificates provide authentication of identity of websites as well as private resources and protection for sensitive data hosted on Amazon Web Services platform. AWS services supported certificates can be provided either by directly issuing with ACM or by importing third party certificates to ACM management system.

    Services offered through ACM in AWS:

    Amazon provides two options for customers to deploy SSL/TLS X.509 certificates. Depending on the business requirement customers can choose from the below options.

    • ACM Certificate Manager (ACM) : This service is targeted for customers who need secure web existence using TLS certificates. ACM deploys certificates using AWS services – Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway, and other integrated services. Enterprises with secure public website with significant web traffic can prefer this certificate management service
    • ACM Private CA – This service is most suited for small and medium enterprise customers who desire to build their own Public Key Infrastructure (PKI) with in AWS Cloud and projected for private use within the organization. Within private CA users can create their own CA hierarchy and issue certificates for authenticating internal users, applications, services, devices etc.

      Note : Certificates issued using Private CA cannot be used on internet

    ACM Certificate Characteristics:

    Public certificates provided by ACM have the characteristics described in this section. These characteristics only apply to certificates provided by ACM and might not apply to certificates imported to ACM:

    Serial No. Characteristics
    1 Domain Validation (DV) ACM Certificates are domain validated. Subject field of an ACM Certificate identifies a domain name. Ownership can be validated using email or DNS
    2 Validity Period for Certificates 13 months
    3 Managed Renewal and Deployment Automatic renewal and provisioning of certificates by ACM
    4 Browser and Application Trust ACM certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. ACM Certificates are also trusted by Java
    5 Multiple Domain Names Each ACM certificate must include one Fully Qualified Domain Name (FQDN) and additional names can be added further
    6 Wildcard Names ACM allows to use an (*) asterisk in domain name to create an ACM certificate that can protect several sites in the same domain
    7 Algorithms Public key algorithms supported by ACM:
    • 2048-bit RSA (RSA_2048)
    • 4096-bit RSA (RSA_4096)
    • Elliptic Prime Curve 256 bit (EC_prime256v1)
    • Elliptic Prime Curve 384 bit (EC_secp384r1)

    AWS Certificate Manager Pricing:

    1. Public SSL/TLS certificates provisioned through AWS Certificate Manager are free of cost. Customer needs to pay only for AWS resources created to run application/services.
    2. ACM Private CA is priced along two stages
      1. Monthly fee of $400 for each ACM private CA until it is deleted
      2. Customer pays a one-time fee when certificates are issued from ACM Private CA

    Please visit Amazon Web Services portal for more details: www.aws.amazon.com

    If your organization is looking for implementation of AWS Certificate Authority, please consult info@encryptionconsulting.com for further information.

    Want to learn from AWS Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your Cloud Advisory Services

    Free Downloads for Cloud Advisory Services