5.2.2. Encryption in Transit: ACM and TLS Certificate Management
š” First Principle: Encryption in transit protects data as it moves between systems ā between users and your application, between microservices, and between AWS services. TLS (Transport Layer Security) is the protocol; certificates are the mechanism that proves identity and establishes the encrypted channel. The operational challenge is certificate lifecycle management: provisioning, deploying, and rotating certificates before they expire.
AWS Certificate Manager (ACM):
ACM provisions, manages, and renews SSL/TLS certificates for use with AWS services. Key characteristics:
| Feature | Detail |
|---|---|
| Public certificates | Free; valid for use with ALB, CloudFront, API Gateway, Elastic Beanstalk |
| Private certificates | ACM Private CA (~$400/month); for internal services |
| Auto-renewal | Public certificates renew automatically (no intervention needed if DNS validation) |
| Cannot be exported | Public ACM certificates are not downloadable ā they can only be used with supported AWS services |
| Region-specific | Certificates are issued per region; CloudFront requires certs in us-east-1 |
Certificate Validation Methods:
| Method | How It Works | Best For |
|---|---|---|
| DNS validation | Add CNAME record to your DNS zone; ACM checks it | Automated renewal; preferred method |
| Email validation | Confirmation email to registered domain contacts | When you don't control DNS directly |
ACM with ALB: The most common pattern ā attach an ACM certificate to an ALB listener for HTTPS termination. The ALB terminates TLS and forwards HTTP (or re-encrypted HTTPS) to targets. Backend targets don't need their own certificates.
End-to-End Encryption Pattern:
For compliance scenarios requiring encryption all the way to the instance (not just to the load balancer), configure:
- ALB ā HTTPS listener with ACM cert (terminates TLS from clients)
- ALB ā HTTPS target group (re-encrypts to backend instances)
- Backend instances ā self-signed cert or ACM Private CA cert
Certificate Lifecycle (Non-ACM): For certificates imported into ACM (from external CAs) or installed on EC2 instances directly, you're responsible for renewal. Common operational failure: certificates expire and cause outages. Mitigations:
- CloudWatch metric:
aws:certificatemanager:DaysToExpiry - Set an alarm at 45 days to expiry
- Use ACM wherever possible to eliminate manual renewal
ā ļø Exam Trap: ACM public certificates cannot be exported or used outside AWS managed services. You cannot download the private key and install it on an EC2 instance running Nginx directly. For that use case, you must: (1) use a third-party CA and import the certificate into ACM for use with ALB, or (2) use ACM Private CA (paid), which does allow certificate export. The exam may present a scenario where "install a certificate on EC2" is required ā the answer is not ACM public; it's import or Private CA.
Reflection Question: Your ALB serves api.company.com over HTTPS using an ACM certificate. A compliance requirement now mandates that traffic must be encrypted all the way to the EC2 instance backend (not just to the ALB). What change do you make, and what type of certificate do the backend instances need?
