Friday, October 24, 2025

AWS Certificate Manager (ACM) | Deep Dive.

twtech deep dive into AWS Certificate Manager (ACM).

Break down:

  •        Overview,
  •        Certificate Types,
  •        Core Concepts,
  •        Architecture & Integrations,
  •        Integration Points,
  •        ACM Private CA,
  •        Automation & Lifecycle Management,
  •        Security & Compliance,
  •        Multi-Account / Multi-Region Strategy,
  •        CloudFormation sample,
  •        Best Practices,
  •        Cost Model.

1. Overview

  •        AWS Certificate Manager (ACM) is a fully managed service that simplifies the provisioning, management, and deployment of SSL/TLS certificates for AWS resources and custom domains.
  •        AWS Certificate Manager (ACM) removes the need for manual certificate lifecycle management (CSR generation, renewal, installation, and rotation).

Key Features

  • Managed public and private certificates.
  • Automatic renewal of ACM-managed certificates.
  • Seamless integration with AWS services (ALB, API Gateway, CloudFront, etc.).
  • Centralized certificate visibility in the console and via APIs.
  • Private Certificate Authority (ACM PCA) for enterprise-grade private PKI.

 2. Certificate Types

Certificate Type

Description

Example Use Cases

Public ACM Certificate

Issued by Amazon’s CA (Amazon Trust Services). Free. Valid for domains you own.

HTTPS for public websites, CloudFront, ALB, API Gateway

Private ACM Certificate

Issued via ACM Private CA. Controlled trust, internal issuance.

Internal services, VPN, microservices mTLS

Imported Certificate

Bring your own externally issued cert (e.g., DigiCert, Let’s Encrypt).

Cross-cloud or hybrid workloads

 3. Core Concepts

 Certificate Lifecycle

  1. Request / Import
    • Public: Domain validation (DNS or Email)
    • Private: Issued from ACM PCA
  2. Validation
    • DNS (preferred): Automated renewals supported
    • Email: Manual renewals
  3. Deployment
    • Attach to supported AWS services (ALB, API Gateway, CloudFront, etc.)
  4. Renewal
    • Public certs: Auto-renewed 60 days before expiration (if DNS validated)
    • Private certs: Auto-renewed if the issuing CA allows
  5. Revocation / Deletion
    • Manual operation or lifecycle event from ACM PCA.

 4. Architecture & Integrations

Public Certificate Architecture

Private PKI Architecture (with ACM PCA)

Cross-Account Access

  • twtech can share certificates using AWS Resource Access Manager (RAM) or deploy through centralized certificate accounts.
  • centralized certificate accounts is Common in multi-account AWS Organizations setups.

 5. Integration Points

AWS Service

Integration Type

Notes

Elastic Load Balancer (ALB/NLB)

Direct ACM certificate attachment

Auto-renewal supported

API Gateway

HTTPS custom domain via ACM

Must be in same region

CloudFront

ACM certificate (us-east-1 only)

Must issue cert in N. Virginia

App Runner / Cloud Map / App Mesh

Private CA for mTLS

Enhances service-to-service encryption

Elastic Beanstalk / ECS / EKS

Ingress TLS termination

Integration through ALB/Ingress

 6. ACM Private CA

ACM Private CA is a managed private certificate authority service that allows you to create and manage private PKI hierarchies.

Key Features

  • Hierarchical CA model (Root → Subordinate)
  • Policy-based issuance (IAM + templates)
  • Certificate templates (server, client auth, custom OIDs)
  • Audit logging via CloudTrail
  • CRL / OCSP support for revocation

Use Cases

  • mTLS between microservices
  • Internal web apps
  • IoT device identity
  • VPN or IPsec tunnel auth

 7. Automation & Lifecycle Management

Task

Automation Method

Tool

Request + Validate

AWS CLI, SDK, or CloudFormation

AWS::CertificateManager::Certificate

Rotation / Renewal

ACM-managed (auto)

DNS validation required

Monitoring Expiration

EventBridge + SNS

Notify before 30 days

Deployment

CloudFormation / Terraform

Integrate with ALB/CF resources

Revocation

ACM PCA API

Controlled via IAM

 8. Security & Compliance

Control

Description

KMS

Private CA keys stored in FIPS 140-2 compliant HSM

Logging

CloudTrail logs all API calls

Least Privilege

Limit issuance via IAM & resource policies

CRL / OCSP

Managed by ACM PCA

FIPS compliance

ACM PCA is FIPS 140-2 validated

Private Key Access

Never exposed for ACM-managed certs

 9. Multi-Account / Multi-Region Strategy

Pattern

Description

Central CA Account

Create a dedicated CA account to issue certs for other accounts.

RAM Sharing

Share private CA via AWS RAM with org accounts.

Multi-Region ACM

Public certs are regional; reissue per region (esp. for multi-region ALBs).

CloudFront + ACM

Always issue certs in us-east-1 for global edge distribution.

 10. CloudFormation sample

# yaml

Resources:

  MyPublicCertificate:

    Type: AWS::CertificateManager::Certificate

    Properties:

      DomainName: twtechapp.com

      ValidationMethod: DNS

      DomainValidationOptions:

        - DomainName: twtechapp.com

          HostedZoneId: Z123ABCXYZ     # Route53 Zone ID

      Tags:

        - Key: Environment

          Value: twtechProdValue

11. Best Practices

  1. Use DNS validation for automated renewals.
  2. Centralize ACM PCA in a dedicated “security” account.
  3. Automate deployments via CloudFormation or Terraform.
  4. Enable CRLs and OCSP for private CA deployments.
  5. Rotate imported certs manually before expiration.
  6. Use EventBridge rules to trigger alerts before expiry.
  7. Audit issuance & revocation with CloudTrail logs.
  8. Tag certificates for ownership and lifecycle tracking.

 12. Cost Model

Component

Pricing

Public ACM Certificates

Free

ACM Private CA

$400/month per CA + $0.75 per issued certificate

Private Certificate Renewal

Same as issuance

OCSP / CRL Requests

Free (managed)


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...