AWS Certificate Manager - vedratna/aws-learning GitHub Wiki

With AWS Systems Manager Parameter Store, you can create secure string parameters, which are parameters that have a plaintext parameter name and an encrypted parameter value. Parameter Store uses AWS KMS to encrypt and decrypt the parameter values of secure string parameters
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
With AWS Certificate Manager, you can quickly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally. Public and private certificates provisioned through AWS Certificate Manager for use with ACM-integrated services are free. You pay only for the AWS resources you create to run your application. With AWS Certificate Manager Private Certificate Authority, you pay monthly for the operation of the private CA and for the private certificates you issue.
You can use the same SSL certificate from ACM in more than one AWS Region but it depends on whether you’re using Elastic Load Balancing or Amazon CloudFront. To use a certificate with Elastic Load Balancing for the same site (the same fully qualified domain name, or FQDN, or set of FQDNs) in a different Region, you must request a new certificate for each Region in which you plan to use it. To use an ACM certificate with Amazon CloudFront, you must request the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
The certificate issuer you must use depends on whether you want to require HTTPS between viewers and CloudFront or between CloudFront and your origin:
HTTPS between viewers and CloudFront

You can use a certificate that was issued by a trusted certificate authority (CA) such as Comodo, DigiCert, Symantec or other third-party providers.

You can use a certificate provided by AWS Certificate Manager (ACM)

HTTPS between CloudFront and a custom origin

If the origin is not an ELB load balancer, such as Amazon EC2, the certificate must be issued by a trusted CA such as Comodo, DigiCert, Symantec or other third-party providers.

If your origin is an ELB load balancer, you can also use a certificate provided by ACM.

SNI Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address by including the hostname which the viewers are trying to connect to. You can host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer. In order to use SNI, all you need to do is bind multiple certificates to the same secure listener on your load balancer. ALB will automatically choose the optimal TLS certificate for each client. These features are provided at no additional charge.

Issue Resolution

Follow the resolution steps for the error message that you receive: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. This error message indicates that the certificate doesn't meet one or more of the following requirements for importing into AWS Certificate Manager (ACM), or for association with a distribution:

The certificate must be imported in the US East (N. Virginia) Region.

The certificate must be 2048 bits or smaller.

The certificate must not be password-protected.

The certificate must be PEM encoded. To associate the imported certificate and certificate chain to your CloudFront distribution, you must be sure that they meet these requirements. Or, you can request a public certificate from ACM in the US East (N. Virginia) Region to meet the requirements. Then, you can associate the newly requested certificate with your distribution.

If you're using a certificate requested from or imported to ACM, confirm that your certificate meets the requirements

To assign an ACM certificate to a CloudFront distribution, you must request or import the certificate in the US East (N. Virginia) Region. After you assign an ACM certificate to a CloudFront distribution, the certificate is distributed to all edge locations for the CloudFront distribution's price class.

After you validate your ACM certificate using either DNS validation or email validation, be sure that the status of the certificate is Issued. The status must be Issued before you can assign the certificate to a CloudFront distribution.

The certificate must be a 2048-bit RSA certificate or smaller. Though ACM supports 1024 bit through 4096-bit RSA certificates, services such as CloudFront that are integrated with ACM support a maximum of 2048-bit RSA certificates.

For imported certificates, you must be sure that the certificate meets the prerequisites for importing a certificate.

If you're using a certificate imported to IAM, verify the CloudFront path. When you import your SSL certificate to IAM, you must provide the correct path so that CloudFront can use the certificate.
Confirm that you have the required permissions. To assign a certificate from ACM or IAM to the CloudFront distribution, the IAM user or role you use to assign the certificate must, at minimum, have the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "acm:ListCertificates",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:ListDistributions",
                "cloudfront:ListStreamingDistributions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:List*",
                "cloudfront:Get*",
                "cloudfront:Update*"
            ],
            "Resource": "arn:aws:cloudfront::account-id:distribution/distribution-id"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListServerCertificates",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetServerCertificate",
                "iam:UpdateServerCertificate"
            ],
            "Resource": "arn:aws:iam::account-id:server-certificate/certificate-name-with-path"
        }
    ]
}