The AWS Certificate Manager (ACM) allows you to manage certificates. This service provided by AWS allows you to perform the following primary tasks:
Request a certificate: This option allows you to request a public certificate from Amazon. If you have configured your AWS account with your organization’s CA, you can also request a private certificate from your CA.
Import a certificate: If you have a certificate that was created with a non-AWS CA, you can import that certificate into AWS.
Create a private certificate: Private certificates are typically used to secure the AWS services and resources within your AWS infrastructure. This feature allows you to create a private certificate.
A key difference between a public certificate and a private certificate is that public certificates are normally trusted automatically by applications because these applications also trust the public CA. Private certificates are not normally automatically trusted, requiring manual configuration on the application side.
Several AWS services can make use of ACM certificates, including the following:
Elastic Load Balancing
Amazon CloudFront
Amazon API Gateway
AWS Elastic Beanstalk
AWS CloudFormation
AWS App Runner
AWS Nitro Enclaves
ACM certificates are also often used with applications, like web servers, that you deploy on EC2 instances and containers.
ACM certificates are regional resources and must be imported into each region in which they are used.
“Three may keep a secret, if two of them are dead.”
—Benjamin Franklin, Poor Richard’s Almanack
While a bit dramatic, this quote from hundreds of years ago illustrates that the importance of keeping a secret can’t be overstated. The AWS Secrets Manager is designed to store and manage credential data. This includes several different credential types, including the following AWS services:
AWS RDS databases
AWS DocumentDB databases
AWS Redshift clusters
The AWS Secrets Manager can also be used to manage other types of credentials that are not directly associated with AWS. This includes the following:
Non-AWS databases, including MariaDB, MySQL, PostgreSQL, Oracle database, and Microsoft SQL Server
Application programming interface (API) keys
OAuth tokens
Secure Shell (SSH) keys
You can enable access to secrets by creating an IAM policy that permits an application or resource to access the secret. The technique that is used to access the secret is via the Secrets Manager API.
The AWS Secrets Manager works with encryption keys provided by the AWS Key Management Service to ensure the security of the secrets by encrypting them at rest. You can also configure the AWS Secrets Manager to rotate secrets to provide better security.
By default, secrets are region-based resources. AWS provides a feature called multi-region secrets to allow you to replicate secrets across multiple regions. This feature also allows you to manage these replicated secrets, including deleting secretes in specific regions.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
