Ref: https://learn.cantrill.io/courses/1820301/lectures/41301524

• Summary:
• Contents:

HTTPS Refresher

• Hyper-Text Transfer Protocol (HTTP) originally created with no security in mind
  • No server identity, authentication, nor encrypted communication
  • 💡 Malicious actors could spoof a website's DNS name, or sniff traffic to read unencrypted communications
• HTTPS = HTTP Secure → addresses HTTP security problems
  • SSL/TLS protocol used to create secure & encrypted tunnel, where HTTP traffic flows
  • Server verification with SSL/TLS digital certificates → harder to spoof server
    • Certificates signed by trusted certificate authority (CA) → chain of trust
    • DNS name & signed SSL certificate tied together

AWS Certificate Manager (ACM) - Overview

• 🔧 Service that manages SSL certificates (create, manage & renew certificates)
  • Can run public OR private certificate authority (CA)
    • Public → Browsers trust list of providers, which can trust other providers → chain of trust → generated certificates trusted automatically
    • Private → must configure clients to trust private CA
• Certificates can be generated or imported
  • If generated → can automatically renew (no issues with expired certificates)
  • If imported → customer responsible for renewal (can't automatically renew)
• Certificates can be deployed out to supported services (generally CF & ALBs)
  • ‼️ EC2 does NOT integrate with ACM!!
    • 💡 Certificates must be securely stored, but inside an EC2 instance they would be exposed if you have root access
• ❗ Regional service
  • To use an ACM cert with an ALB in ap-southeast-2 , cert must be in ap-southeast-2
  • Certs can NOT leave their region
  • ‼️ Only exception: global services like CloudFront!
    • CF operates as though it were in us-east-1 → ACM cert must be in us-east-1 if associated to a CF distribution
• ACM Architecture Diagram