Security

Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to Rotation

Learn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.

約 4 分で読めます

Overview of ACM

ACM is a service that automates the issuance, management, and deployment of SSL/TLS certificates. Public certificates can be issued for free and deployed to ALB, NLB, CloudFront, API Gateway, and Elastic Beanstalk with just a few clicks. Unlike Let's Encrypt, certificate renewal is fully automated, eliminating the need to manage cron jobs or certbot. Note that you cannot install certificates directly on EC2 instances, so if you need to terminate HTTPS on EC2, place an ALB in front of it or use Let's Encrypt.

DNS Validation and Automatic Renewal

There are two certificate validation methods: DNS validation and email validation. With DNS validation, you add a CNAME record specified by ACM to Route 53 (or an external DNS provider). If you use Route 53, you can add it with a single click from the console. Email validation sends a confirmation email to the domain administrator's email address, but since manual approval is required for each renewal, DNS validation is strongly recommended. Once added, DNS validation records remain valid unless deleted and continue to be used for automatic certificate renewal. Automatic renewal begins 60 days before the certificate expiration date and proceeds automatically as long as the DNS validation record exists and the certificate is associated with an AWS resource. Certificates have a 13-month validity period, and renewed certificates are automatically applied to ALB and CloudFront.

Private Certificates and Certificate Transparency

Integration with ACM Private CA allows you to issue private certificates for internal service-to-service communication. Since public certificates are recorded in Certificate Transparency (CT) logs, use private certificates when you don't want to expose internal service hostnames. ACM's import feature also lets you manage certificates issued by external CAs, though automatic renewal only works with ACM-issued certificates. As certificate expiration approaches, CloudWatch metrics and EventBridge events provide notifications to prevent renewal oversights. Certificates must be issued per region, so in multi-region configurations, you manage certificates in each region. For a comprehensive look at ACM best practices, refer to technical books on Amazon.

ACM Pricing

ACM public certificates are free to issue and renew. There are no additional charges for deploying to ALB, CloudFront, or API Gateway. ACM Private CA costs approximately $400/month per CA, with additional charges based on the number of certificates issued ($0.75 per certificate for the first 1,000). Short-lived certificate mode (validity of 7 days or less) reduces the monthly CA fee to approximately $50. Use ACM's free certificates for use cases that public certificates can handle, and limit Private CA to cases where it's needed, such as mTLS or internal service authentication, to manage costs.

Summary

ACM is a service that automates the entire lifecycle of public SSL/TLS certificates, from issuance to renewal, at no cost. Once DNS validation is configured, certificates are maintained without manual intervention, and deployment to ALB and CloudFront is seamless. Integration with Private CA also supports mTLS authentication for internal services, centralizing certificate management across the organization.

Related Services

AWS Certificate ManagerA service that automates provisioning, management, and deployment of SSL/TLS certificatesAmazon CloudFrontA CDN service that delivers content at high speed from edge locations around the worldAmazon Route 53A highly available Domain Name System (DNS) and domain registration service

Related Articles

Building a Private PKI with AWS Private CA - Automated Certificate Issuance and RotationBuild a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.Monitoring Internet Performance with Amazon CloudWatch Internet Monitor - Visualizing Availability and LatencyLearn how Internet Monitor tracks application performance over the internet, analyzes availability by ISP, and detects health events.Amazon Route 53 DNS Design - Routing Policies and Health Checks in PracticeAchieve advanced traffic control with alias records and seven routing policies. This article covers multi-region failover design using health checks.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.

Similar Articles and Services

AWS Certificate ManagerA service that provisions, manages, and auto-renews SSL/TLS certificates, enabling free HTTPS on CloudFront and ALBCertificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.AWS Private Certificate AuthorityA managed certificate authority service for issuing and managing private certificatesBuilding a Private PKI with AWS Private CA - Automated Certificate Issuance and RotationBuild a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.