For most of us, when surfing the web, we don’t notice the little padlock icon in the search bar just before the URL of the page. The tiny lock symbol signifies if a site is secured and encrypted either via a transport layer security (TLS) or secure socket layer (SSL) protocol. SSL or TLS is also used to secure web applications in addition to standard websites. To “prove” to a web browser that the site is secured by SSL or TLS, the site will have a digital file known as a SSL/TLS certificate. These electronic documents are digitally signed and establish identity and trust between the site and the web browser.
Historically, companies needed to purchase certificates on their own and manage the certificates and their renewals in-house. Amazon is changing the game again, and is offering SSL/TLS certificates and certificate management free of charge to users who subscribe to AWS services that run websites or applications such as Elastic Load Balancers or Amazon CloudFront distribution via a service called AWS Certificate Manager.
How SSL/TSL Works
Companies get certificates for SSL/TSL encryption from specific domains known as Certificate Authorities (CAs). Requesting a certificate for a website or web application requires you to confirm that you are the sole party responsible for the domain. Once verified, a certificate is issued for a set amount of time for the given domain (which consequently does not include subdomains). This process can be very time consuming for IT managers as through the traditional method, you have to install the certificate on your system, keep track of expiration dates (most are usually valid for 12-36 months) and then getting new certificates when the old one expires. Plus – this is all done for free (as it is included with the cost of the AWS subscription service).
How AWS Certificate Manager Works
AWS Certificate Manager was designed to streamline and automate many of the tasks that IT departments normally have to carry out for maintaining and updating SSL/TSL certificates. The AWS Certificate Manager handles the provisioning, deployment, and renewal of digital certificates automatically. Certificates deployed and managed by AWS Certificate Manager are all verified by Amazon’s own certificate authority known as Amazon Trust Services (ATS).
Provisioning and deploying a certificate is fairly simple to do in AWS Certificate Manager; users log into the AWS Certificate Manager Console and click on "Get Started." The user enters the domain name (example.com) and any related subdomains and then click on “Review and Request.” An email is sent to the registered owner of the domain (to verify ownership) and then click on a link in the email to approve the validation request and once approved; the certificate is available in the AWS Certificate Manager console.
Benefits Including Enhanced Compliance
SSL/TLS web encryption is a requirement for companies that handle sensitive data. Sites and applications that capture and process highly-sensitive personal information need SSL/TLS encryption to meet compliance requirements for regulations such as Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard (PCI-DSS).
*It is important to note that AWS Certificate Manager is only available in the AWS US East (Northern Virginia) availability zone, but there are additional regions in the works for system-wide implementation.