AWS Private Certificate Manager & FedRAMP TLS

TL;DR

This guide shows you how to use AWS Private Certificate Manager (ACM) and integrate it with your services to meet FedRAMP compliance requirements for Transport Layer Security (TLS). We’ll cover creating a private CA, issuing certificates, and deploying them. It assumes you have an existing AWS account and basic familiarity with IAM.

1. Understand the Requirements

FedRAMP requires strong TLS configurations. This means:

• Using approved Certificate Authorities (CAs).
• Employing secure key exchange algorithms.
• Regular certificate rotation.

ACM Private CAs help you manage these requirements within your AWS environment.

2. Create a Private CA

1. Navigate to ACM: Go to the AWS Certificate Manager console in the region where you want to deploy your services.
2. Choose Private CAs: Select ‘Private certificate authorities’ from the left-hand menu.
3. Request a CA: Click ‘Request a private CA’.
4. CA Type: Choose ‘Self-managed’.
5. Configuration Details:
   • Name: Give your CA a descriptive name (e.g., my-fedramp-ca).
   • Subject: Enter the subject details for your CA, including country, organisation, etc. This information is crucial for certificate validation. Example:

     C=US, ST=California, L=San Francisco, O=My Organisation, CN=my-fedramp-ca

6. Key Size: Select at least 2048 bits. 4096 is recommended for stronger security.
7. Signing Algorithm: Choose SHA256 with RSA or ECDSA.
8. Renewal Period: Configure the renewal period based on your policy (e.g., 365 days).
9. Tags: Add tags for easy identification and cost allocation.
10. Review & Request: Review your configuration and click ‘Request’. It takes time to provision a CA.

3. Issue Certificates

1. Navigate to ACM: Return to the AWS Certificate Manager console.
2. Choose Private CAs: Select ‘Private certificate authorities’ from the left-hand menu.
3. Select your CA: Click on the name of the private CA you created in Step 2.
4. Request a Certificate: Click ‘Request a certificate’.
5. Domain Names: Enter the domain names for which you need certificates (e.g., example.com, *.example.com).
6. Validation Method: Choose DNS validation. This is generally preferred as it doesn’t require manual file uploads to web servers.
7. Tags: Add tags for easy identification and cost allocation.
8. Review & Request: Review your configuration and click ‘Request’.
9. DNS Validation: ACM will provide CNAME records that you need to add to your DNS zone file. This proves ownership of the domain.

4. Deploy Certificates

How you deploy certificates depends on the AWS service:

• Load Balancers: In your Load Balancer configuration, select the ACM certificate from the dropdown list when configuring listeners (HTTPS).
• CloudFront: Associate the ACM certificate with your CloudFront distribution.
• API Gateway: Import the certificate into API Gateway and configure custom domain names to use it.
• Elastic Beanstalk: Configure SSL certificates in your Elastic Beanstalk environment settings.

5. Certificate Rotation

ACM automatically handles certificate rotation when configured correctly.

• Renewal Reminders: ACM sends notifications before certificates expire.
• Automated Renewal: If DNS validation is still in place, ACM will renew the certificate automatically.

6. FedRAMP Considerations

• Approved Algorithms: Ensure you’re using TLS 1.2 or higher and approved cipher suites.
• Key Management: Store your private CA securely, following FedRAMP guidelines for key management. IAM roles should have least privilege access.
• Logging & Monitoring: Enable logging to monitor certificate usage and identify any issues. AWS CloudTrail can be used for auditing.