Sunday, October 26, 2025

AWS Certificate Manager (ACM) integration with Amazon API Gateway | Overview.



AWS Certificate Manager (ACM) integration with Amazon API Gateway - Overview.

Scope:

  • Intro,
  • Integration Requirements,
  • Setup Steps,
  • Key Considerations,
  • ACM Integration with API Gateway (Deep Dive),
  • Core Integration Concept,
  • How Integration Works (Step-by-Step) Deep dive,
  • Architecture Overview,
  • Automation with CloudFormation (Sample Regional API Gateway with ACM Certificate Route 53 alias),
  • Automation & Lifecycle,
  • Security Considerations,
  • Cross-Account & Multi-Region Patterns (Use cases, Approach & Key Details),
  • Integration Table (deep dive),
  • Best Practices.

Intro:

    • Integrating AWS Certificate Manager (ACM) with Amazon API Gateway allows twtech to use a custom domain name (e.g., api.twtechapp.com) with its APIs instead of the default long endpoint provided by AWS.
Integration Requirements
The placement of twtech ACM certificate depends on its API's endpoint configuration:
    • Regional Endpoints: The ACM certificate must be in the same AWS Region as twtech API Gateway.
    • Edge-optimized Endpoints: The ACM certificate must be in the us-east-1 (N. Virginia)  Region, regardless of where twtech API is located.

Setup Steps
    • Request or Import Certificate: Use the AWS Certificate Manager Console to request a public certificate for twtech domain or import an existing one.
    • Validate Domain: Complete domain ownership validation (DNS or email) through ACM.
    • Create Custom Domain Name: In the API Gateway Console, twtech navigates to Custom domain names and choose Create. 
      • twtech Selects the appropriate Endpoint type (Regional or Edge-optimized) and choose twtech ACM certificate from the dropdown.
    • Configure API Mappings: Link specific API stages (e.g., prod or dev) to twtech custom domain or sub-paths within it.
    • Update DNS Records: Create a CNAME or Alias record in twtech DNS provider (like Amazon Route 53) that points twtech custom domain to the API Gateway domain name (twtechapp.com).
Key Considerations
    • Automatic Renewal: Public certificates requested through ACM are free and renew automatically if DNS validation is used.
    • Private APIs: To use custom domains for private APIs, twtech must associate its VPC endpoint with the custom domain name (twtechapp.com).
    • Mutual TLS (mTLS): If twtech requires mTLS, it must provide a truststore in Amazon S3 containing the certificate authority chain.

 ACM Integration with API Gateway (Deep Dive)

    • Amazon API Gateway supports custom domain names for REST APIs, HTTP APIs, and WebSocket APIs.
    • These custom domains use SSL/TLS certificates provisioned and managed by AWS Certificate Manager (ACM) to secure HTTPS communication between clients and twtech API.

Core Integration Concept

    • When twtech configures a custom domain name in API Gateway, it attaches an ACM certificate to that domain.
This enables:

    • HTTPS endpoint for twtech API
    • Secure TLS termination (end encryption) at API Gateway (or CloudFront for edge-optimized)
    • Automatic certificate renewal (for ACM-managed certs)

How Integration Works (Step-by-Step) Deep dive.

1. Certificate Provisioning (ACM) - twtech can use ACM to:

    • Request a public certificate (validated via DNS or email).
    • Import an existing certificate (for external CAs or private certificates).
    • Issue a private certificate (via ACM Private CA for internal APIs).

2. API Gateway Custom Domain Configuration In API Gateway:

    • Create a Custom Domain Name.
    • Choose endpoint type: Edge-Optimized, Regional, or Private.
    • Attach the ACM certificate (must be in the same region — except for Edge-Optimized, which requires us-east-1).

3. Base Path Mapping (twtech map API stages to a custom domain path, so clients can use):

https://api.twtechapp.com/v1/

# instead of the default:

https://abcdefghij.execute-api.us-east-1.amazonaws.com/prod

4. DNS Configuration (Route 53) that Create an Alias Record in Route 53:

    • Alias API Gateway domain name.
    • For Edge-Optimized: CloudFront distribution name (created by API Gateway).
    • For Regional: Regional domain name (e.g., twtechDN-abc123.execute-api.us-east-1.amazonaws.com).

 Architecture Overview

A. Edge-Optimized (Global Clients)

B. Regional (Controlled Access)

C. Private (Internal APIs)


Automation with CloudFormation (Sample Regional API Gateway with ACM Certificate + Route 53 alias)

Automation-with-CloudFormation.yaml

Resources:

  MyCertificate:

    Type: AWS::CertificateManager::Certificate

    Properties:

      DomainName: api.twtechapp.com

      ValidationMethod: DNS

      DomainValidationOptions:

        - DomainName: api.twtechapp.com

          HostedZoneId: Z123456789ABC

  MyCustomDomain:

    Type: AWS::ApiGateway::DomainName

    Properties:

      DomainName: api.twtechapp.com

      RegionalCertificateArn: !Ref twtechCertificate

      EndpointConfiguration:

        Types: [REGIONAL]

  MyBasePathMapping:

    Type: AWS::ApiGateway::BasePathMapping

    Properties:

      DomainName: !Ref twtechCustomDomain

      RestApiId: !Ref twtechRestApi

      Stage: prod

  MyDNSRecord:

    Type: AWS::Route53::RecordSet

    Properties:

      HostedZoneId: Z123456789ABC

      Name: api.twtechapp.com

      Type: A

      AliasTarget:

        DNSName: !GetAtt twtechCustomDomain.RegionalDomainName

        HostedZoneId: !GetAtt twtechCustomDomain.RegionalHostedZoneId

Table for Automation & Lifecycle (stages, automation Mechanism & Tools)

Stage

Automation Mechanism

Tool

Certificate Request

ACM (via CloudFormation/CDK)

AWS::CertificateManager::Certificate

Validation

Route 53 automation (DNS validation)

Route 53

Renewal

Automatic (ACM-managed)

ACM

Deployment

API Gateway custom domain + BasePathMapping

CloudFormation / CDK

Rotation

Automatic (if ACM-managed)

ACM

 Security Considerations

    • Use ACM-managed certificates for automatic renewal.
    • Store private certs securely in ACM — never hardcode keys.
    • Use AWS WAF or Shield with public APIs.
    • Enforce TLS 1.2+ security policies in API Gateway.
    • Implement least-privilege IAM for certificate access (via acm:DescribeCertificate, acm:ListCertificates).
    • Use ACM Private CA and VPC-only access For private APIs.

 Cross-Account & Multi-Region Patterns (Use cases, Approach & Key Details)

Use Case

Approach

Key Detail

Multi-account API Gateway

Share ACM certs via Resource Access Manager (RAM)

Certificate must be in same Region

Multi-region deployment

Request/import certs in each Region

Automate via CloudFormation StackSets

Hybrid model (public + private APIs)

Use ACM public cert for public domain, ACM Private CA cert for internal domain

Separate Route 53 zones

 Integration Table (deep dive)

API Gateway Endpoint Type

ACM Certificate Location

Route 53 Integration

Certificate Type

Edge-Optimized

us-east-1 only

Alias CloudFront (auto-created)

Public ACM

Regional

Same Region as API

Alias Regional API endpoint

Public ACM

Private

Same Region, internal PKI

Private Hosted Zone

ACM Private CA

Best Practices

    • Use DNS validation for automation.
    • Use CloudFormation or Cloud Development Kit (CDK) for certificate + API domain automation.
    • Monitor certificate expiry with ACM events + CloudWatch Alarms.
    • Keep consistent naming conventions for domain mappings.
    • Apply AWS WAF and API Gateway logging at all entry points.
    • Use private hosted zones for internal-only endpoints.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...