Configure sensor (agentless) automation settings for an AWS load balancer

  • Sensor automation supports AWS Application/Network Load Balancer (ALB/NLB) and AWS CloudFront.
  • Newly automated certificates will be stored in AWS Certificate Manager (ACM) independently of the original certificate stored in AWS Identity and Access Management (IAM).
  • When automating a distribution with no certificates, AWS recommends modifying the distribution settings to:
    • SSLSupportMethod to sni-only
    • MinimumProtocolVersion to TLSv12_2019

Users with limited access require permissions for the listed policies.

For AWS ALB/NLB:

For AWS CloudFront:

Configure agentless settings for AWS load balancers

  1. Log in to the sensor host.

  2. Go to the sensor CLI directory.

    cd install_dir/cli

    Where install_dir is the installation directory for the sensor.

  3. Run the addagentless command.

    • On Linux:
      • For AWS ALB/NLB: ./addagentless.sh -type AWS
      • For AWS CloudFront: ./addagentless.sh -type AWS-CLOUDFRONT
    • On Windows:
      • For AWS ALB/NLB: addagentless.bat -type AWS
      • For AWS CloudFront: addagentless.bat -type AWS-CLOUDFRONT
    • On Docker:
      • For AWS ALB/NLB: docker exec -it <container-id/name> cli/addagentless.sh -type AWS
      • For AWS CloudFront: docker exec -it <container-id/name> cli/addagentless.sh -type AWS-CLOUDFRONT

    When you enter the command, a series of prompts appears for each setting you need to enter. At each prompt, enter the specific settings for your load balancer and press Return.

Run the docker ps command to get the container name or ID and its operating status.

There are two ways to configure the agentless on docker:

  1. Without signing in to the docker sensor container:
    Run the docker exec -it <container-id/name> cli/addagentless.sh -type AWS or docker exec -it <container-id/name> cli/addagentless.sh -type AWS-CLOUDFRONT command.
  2. By signing in to the docker sensor container:
    1. Run the docker exec -it <container-id/name> bash command to get a bash shell in the container.
    2. Go to the sensor installation directory and run the cli/addagentless.sh -type AWS or cli/addagentless.sh -type AWS-CLOUDFRONT command.

For example:

./addagentless.sh -type AWS

Login method: 1 
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.

Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2

Choose your login method:
  1.Use the Default AWS credential provider chain
  2.Supply the credentials yourself
  3.Use an AWS profile name
Your choice: 1

If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N

Successfully added or changed the agentless automation. This applies to the following HA Pair peers :

Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
Login method: 2 
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.

Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2

Choose your login method:
  1.Use the Default AWS credential provider chain
  2.Supply the credentials yourself
  3.Use an AWS profile name
Your choice: 2

If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N

Enter AWS access key Id:ABCD12E3F4GHIJ567KLM
Enter AWS secret key:
Confirm AWS secret key:

Successfully added or changed the agentless automation. This applies to the following HA Pair peers :

Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.
Login method: 3 
Sensor CLI. Copyright 2020, DigiCert Inc.
Add or change login credentials and specify data IP addresses for certificate automation.

Enter your AWS Account ID (12 digits):123456789012
Enter AWS Region (e.g., us-east-2):us-east-2

Choose your login method:
  1.Use the Default AWS credential provider chain
  2.Supply the credentials yourself
  3.Use an AWS profile name
Your choice: 3

If available, do you want to map this sensor with the previously voided loadbalancer (Y/N)?:N

Enter your AWS profile name (Press Enter if the profile name and AWS Account ID are same.):

Successfully added or changed the agentless automation. This applies to the following HA Pair peers:

Starting agentless configuration for this host. Go to Automated IPs in CertCentral to finish configuring host details and set up automation.

AWS credentials

To provide login credentials for configuring agentless automation settings, you can:

  • Use the default AWS credential provider chain.
  • Supply the credentials yourself.
  • Use an AWS profile name.

Default credential provider chain

The AWS provider offers a flexible means of providing authentication credentials. The following methods are supported and the credentials are sought in this sequence:

  1. Environment variables – AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

    Note: You are required to restart the sensor:

    • If environment variables are added while the sensor is already installed and running.
    • If environment variables are updated or changed while the sensor is running.

  2. Credential profiles file at the default location (~/.aws/credentials) shared by all AWS SDKs and the AWS CLI.

    For successful authentication, we recommend:

    • Adding the AWS_CREDENTIAL_PROFILES_FILE environment variable.
    • Setting the credential file to a location where both the sensor and the user have access to it.

    For example: AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file

    Note: You must restart the sensor if an update or change is made to the environment variables when the sensor is running.

  3. Instance profile credentials delivered through the Amazon EC2 metadata service.

    For successful instance credential authentication:

    1. Sensor must be installed on the EC2 instance.
    2. Identity and Access Management (IAM) role must be linked to an EC2 instance. To create and link the IAM role to an instance, refer to Create IAM role and Assign IAM role to an instance.
    3. IAM role associated with the instance must have the following policy authorization:

    For more details, refer to the AWS documentation.

Create IAM role

  1. Sign in to AWS Management Console and select IAM service.

  2. In the sidebar menu, select Access management > Roles. Then, select Create role.

  3. On the Create role page, select the AWS service trusted entity type and the EC2 use case. Then, select Next: Permissions.

  4. Select the policies you want to assign to the role. Then, select Next: Tags.

  5. Assign tags to the role (optional) and select Next: Review.

  6. Enter a role name, add a description (optional), and select Create role.

Assign IAM role to an instance

  1. On the AWS Management Console, select EC2 service.

  2. In the sidebar menu, select Instances.

  3. On the Instances page, select the instance. Then, select Actions > Instances Settings > Attach/Replace IAM Role.

  4. On Attach/Replace IAM Role page, select the IAM role to attach to your instance. Then select Apply.

Supply credentials in at least one of these locations for the sensor to connect to AWS.

Using an AWS profile name

To use an AWS profile name for your login credentials, set the profile with key-value pairs. You can do this in the AWS credential profiles file located at the default location (~/.aws/credentials), which is shared by all AWS SDKs and the AWS CLI.

For successful authentication, we recommend:

  • Adding the AWS_CREDENTIAL_PROFILES_FILE environment variable.
  • Setting the credential file to a location where both the sensor and the user have access to it.

For example: AWS_CREDENTIAL_PROFILES_FILE=path/to/credentials_file

generic 
[default]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

[profie1]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

[profie2]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

[profie3]
aws_access_key_id = YOUR_ACCESS_KEY_ID
aws_secret_access_key = YOUR_SECRET_ACCESS_KEY

If you are working with multiple AWS accounts, you can easily switch between your accounts by creating multiple profiles (sets of credentials) in your credentials file.

Each section (for example, [default], [profile1], [profile2], etc), represents a separate credential profile. The keyword in square brackets is your profile name.

If you do not specify the AWS profile name as a login, then we will use the AWS account ID as your login credential.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.