AWS Certificate Manager (ACM)

Learn how to manage public and private security certificates using AWS Certificate Manager.

We'll cover the following

How ACM works
Best practices

AWS Certificate Manager (ACM) simplifies the process of managing SSL/TLS certificates for our AWS-based websites and applications. It provides free SSL/TLS certificates that are automatically provisioned and renewed for use with AWS services. With ACM, we can easily provision, manage, and deploy SSL/TLS certificates for use with AWS services and resources, such as Elastic Load Balancers (ELB), Amazon CloudFront distributions, and Amazon API Gateway APIs. Alternatively, we can also import third-party certificates into the ACM management system.

Press + to interact

ACM issues the public certificates by Amazon Trust Services, and all major browsers and operating systems trust these certificates. Each certificate must be associated with at least one domain name. It also supports RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) key algorithms for certificate issuance. By default, the ACM certificate is valid for a period of 13 months. However, ACM uses OffSec Certified Professional (OSCP) and certificate revocation list (CRL) to revoke untrustworthy certificates.

How ACM works

We start by requesting SSL/TLS certificates directly through the AWS Management Console, CLI, or API. ACM supports various types of certificates, including single-domain, multi-domain (SAN), and wildcard certificates. When we request a certificate, ACM automatically validates our domain ownership to ensure security. ACM handles the entire lifecycle of SSL/TLS certificates, including issuance, renewal, and deployment. It automatically renews certificates before they expire, ensuring continuous security without manual intervention. This automation simplifies certificate management and reduces the risk of expired certificates.

Press + to interact

Once we’ve obtained SSL/TLS certificates through ACM, we integrate them with other AWS services. For example, we can associate certificates with Elastic Load Balancers (ELB), CloudFront distributions, API Gateway APIs, and Amazon CloudFront distributions. ACM seamlessly manages the certificate lifecycle for these services.

Best practices

Here are some best practices for using AWS Certificate Manager (ACM):

Use DNS validation: Whenever possible, opt for DNS validation instead of email validation when requesting ACM certificates. DNS validation provides a more secure and automated method for verifying domain ownership.
Limit certificate access: Restrict access to ACM certificates using AWS Identity and Access Management (IAM) policies. Only grant permissions to users and roles that require access to the certificates for our respective tasks.
Monitor certificate expiry: Regularly monitor the expiry dates of ACM certificates using AWS CloudWatch or other monitoring tools. Set up alerts to notify us when certificates are nearing expiration, allowing us to take timely action to renew them.
Use managed renewal: Enable managed renewal for ACM certificates to automate the process of renewing certificates before they expire. This helps prevent downtime due to expired certificates and ensures continuous protection for our applications.
Regularly review and rotate certificates: Conduct periodic reviews of ACM certificates to ensure that they are still required and properly configured. Rotate certificates if there are changes in our infrastructure or security requirements.
Backup private keys: Although ACM does not provide direct access to private keys, ensure that backup mechanisms are in place for storing and managing private keys associated with ACM certificates securely.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena