[AWS] Certificate Manager

AWS Certificate Manager (ACM) manages HTTPS certificates.

Features

  • Integration
    • Load Balancers
      • ALB provides SSL Termination
    • CloudFront distributions
    • API Gateway APIs
  • Public Certificates
    • Issued by a trusted public certificate authority (CA)
  • Private Certificates
    • Used for internal applications
  • ACM is a regional service.
    • With multi-region applications (such as ALBs in each region), you need to issue an SSL certificate in each region.
    • You CAN NOT copy certificates across regions.

Renewing Certificate

When ACM certificates are eligible for renewal, health events are generated.

(Option 1) ACM built-in Certificate Expiration event -> Amazon EventBridge -> a Lambda function.

  • ACM sends daily expiration events for all active certificates (public, private and imported) starting 45 days prior to expiration.
  • You can use expiration events to re-import certificates into ACM.
  • Create an EventBridge rule to catch the event
    • Invoke a Lambda function to handle the expiration event
    • Send a notification via SNS.

(Option 2) Schedule a batch search using the DaysToExpiry metric

  • Create an Amazon EventBridge rule and schedule it
    • Configure to rule to check the DaysToExpiry metric of all ACM certificates in Amazon CloudWatch.
Unknown's avatar

Published by Pyongwon Lee

IT (Cloud, Web) Development, Philosophy, Economics.

Leave a Comment