Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Certificate management concepts in
AW...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Agenda
• AWS Certificate Manager (ACM...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Certificate Manager (ACM)
ACM mak...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Example: ACM with Elastic Load Balanc...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Accessing private web applications in...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
ACM Private CA
Secure and managed
pri...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Root CA hierarchies for ACM Private C...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Before ACM Private CA hierarchies
Sub...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
ACM Private CA hierarchies
• Complete...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Why create a CA hierarchy?
• Restrict...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What can end-entity certificates iden...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Use cases
• Replace software/server-b...
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
CA hierarchy in organizations
Root CA...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
ALB AWS Lambda
ACM Private CA
https:/...
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
CA configuration
When you create a CA...
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Offline vs. online root CA
• Physical...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Logical access controls and isolation...
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
PrivilegedUser managed policy
{
"Eff...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
CA hierarchy
• Use path length constr...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Choosing CA validity period
Issuing C...
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Operations
• Distributing root certif...
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Upcoming SlideShare
Loading in …5
×

Certificate management concepts in AWS - SEC205 - New York AWS Summit

In this session, learn about the encryption and certificate management services that AWS offers. You also get to see a few demonstrations of how you can leverage these services on AWS to protect data at rest and data in transit.

  • Be the first to comment

Certificate management concepts in AWS - SEC205 - New York AWS Summit

  1. 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Certificate management concepts in AWS Ram Ramani Security Specialist AWS S E C 2 0 5 Anthony Pasquariello Solutions Architect AWS
  2. 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Agenda • AWS Certificate Manager (ACM) public certificates • ACM Private Certificate Authority (CA) • New feature – root CA hierarchies • Use cases • Demonstration • Planning CA deployment • Best practices • Questions & answers
  3. 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Certificate Manager (ACM) ACM makes it easy to provision, manage, deploy, and renew TLS/SSL certificates on the AWS Cloud
  4. 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Example: ACM with Elastic Load Balancing (ELB) • Public certificates requested with ACM • Deployed on ELB • ACM manages renewal and deployment Amazon public CA Public TLS server certificate AWS Cloud InstancesTLS/SSL Users Devices Secure TLS/SSL connection Public TLS server certificate ACM
  5. 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Accessing private web applications in your intranet VPC VPC Corporate Data center Website Website VPN AWS Direct Connect Users
  6. 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ACM Private CA Secure and managed private CA service Manage certificates centrally Enable developer agility Pay-as-you-go pricing Flexibility to customize private certificates Subordinate CAs
  7. 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Root CA hierarchies for ACM Private CA Root CA and complete CA hierarchies CA administrators can now create a complete CA hierarchy, including root and subordinate CAs, with no need for external CAs
  8. 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Before ACM Private CA hierarchies Subordinate issuing CA with existing (external) intermediate and root CA Issuing CA used for bulk issuance of end-entity certificates Certificate signing request Signed CA certificate Root CA End-entity certificates Existing CA infrastructure Intermediate CA certificate Root CA certificate Intermediate CA Issuing CA
  9. 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ACM Private CA hierarchies • Complete CA hierarchy, including root CA • Third-party external CA is now optional Certificate signing request Signed CA certificate Root CA End-entity certificates Intermediate CA certificate Root CA certificate Intermediate CA Issuing CA
  10. 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Why create a CA hierarchy? • Restrict access to the root CA • Grant more permissive access to subordinate CAs • Delegate subordinate CAs for different applications/groups • Audit and generate alarms for every certificate issued by root • Audit random samples of bulk certificates issued by subordinates
  11. 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What can end-entity certificates identify? • TLS endpoints and resources (e.g., any HTTPS application) • IPsec VPN endpoints • Dynamic cloud resources • IoT devices
  12. 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Use cases • Replace software/server-based CAs • Replace offline root CA • Complement an existing root CA Identify cloud resources for dev/test/production with a cloud-hosted CA infrastructure and APIs
  13. 13. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  14. 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T CA hierarchy in organizations Root CA Subordinate CA Certificates
  15. 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T ALB AWS Lambda ACM Private CA https://alb.acm-demo.com Invoke <html>…</html> Certificate
  16. 16. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  17. 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T CA configuration When you create a CA, think about • Key types and sizes RSA 2048, RSA 4096, ECDSA P256, ECDSA P384 • Revocation configuration • AWS CloudTrail logging of API calls • Amazon CloudWatch metrics – alarms and notifications • Audit reporting • Access policies • CA lifecycle management
  18. 18. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  19. 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Offline vs. online root CA • Physical access controls and isolation • One or more operators open the vault • Perform signing ceremony to use the CA • No network access Offline CA – physical HSM, network-disconnected, stored in a vault (typically) Best choice depends on your requirements and internal policies • Logical access controls and isolation • Faster signing (important if a CA certificate expires) • Easier management • Doesn’t require physical presence
  20. 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Logical access controls and isolation • Account separation • Access controls • IAM-managed policies • Disable CA creation by default • Custom policies for two-person control • Auditing and logging • Alarm on certificate issuance for root CAs • Careful review of each certificate issued by root and other top-level CAs
  21. 21. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. PrivilegedUser managed policy { "Effect": "Allow", "Action": [ "acm-pca:IssueCertificate" ], "Resource": "arn:aws:acm- pca:*:*:certificate-authority/*", "Condition": { "StringLike": { "acm-pca:TemplateArn": [ "arn:aws:acm- pca:::template/*CACertificate*/V*" ] } } }, { "Effect": "Deny", "Action": [ "acm-pca:IssueCertificate" ], "Resource": "arn:aws:acm- pca:*:*:certificate-authority/*", "Condition": { "StringNotLike": { "acm-pca:TemplateArn": [ "arn:aws:acm- pca:::template/*CACertificate*/V*" ] } } },
  22. 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T CA hierarchy • Use path length constraint to limit CA height • Reduce height when possible • Shorter chains reduce processing overhead • Use minimum tree height that meets your goal
  23. 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Choosing CA validity period Issuing CA validity period must be >= the lifetime of issued certificates Issuing CA replace replace End-entity certificate Root CA replace replace
  24. 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Operations • Distributing root certificates/keys to trust stores • Revocation and vending status information • Redundancy/disaster recovery
  25. 25. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  26. 26. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

×