AWS CloudFront

With an AWS CloudFront connector, you can use DigiCert® Trust Lifecycle Manager to discover and manage certificates in the AWS CloudFront content delivery network (CDN).

The connector uses an on-premises DigiCert sensor within your network to help securely manage the integration with Amazon Web Services (AWS).

When you add the connector, Trust Lifecycle Manager discovers existing certificates in AWS CloudFront and adds them to your centralized inventory. From there, you can manage and automate certificate lifecycles in the CloudFront CDN to ensure you always have valid certificates deployed.

Before you begin

You need at least one active DigiCert sensor on your network to establish and manage the connection to AWS CloudFront. To learn more, see Deploy and manage sensors.
Make sure the sensor system is configured with your AWS credentials or that you have the AWS access key and secret key on hand to use to configure the connector, as described in the authentication methods section.
Make sure the AWS credentials you use are for an AWS account that includes the following AWS managed policies or equivalent permissions:
- CloudFrontFullAccess
- AWSCertificateManagerFullAccess
- IAMReadOnlyAccess

Authentication methods

Trust Lifecycle Manager supports different methods for authenticating to your Amazon Web Services (AWS) account in an AWS CloudFront connector.

Supported AWS authentication methods

Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.

Authentication method	Configuration parameters	Description
Self-authentication	Access key Secret key	Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager.
Default AWS credential provider chain	—	Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways: Environment variables: Configure the AWS credentials as environment variables on the sensor system, as described in the official AWS documentation. Default profile: Add the AWS credentials to the default profile in the AWS config and credentials files on the sensor system, as described in the official AWS documentation.
AWS profile name	Profile name	Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system.

AWS file locations on DigiCert sensors

For the Default AWS credential provider chain and AWS profile name authentication methods, the managing DigiCert sensor looks for the AWS config and credentials files in the following default directories, depending on the sensor operating system (OS):

DigiCert sensor OS	Default directory for AWS config and credentials files
Windows	C:\Windows\System32\config\systemprofile\.aws
Linux	/root/.aws
Docker	~/.aws/:/root/.aws (Note: Add this path under "volumes" in the docker-compose.yml file.)

DigiCert sensor OS

Default directory for AWS config and credentials files

Windows

C:\Windows\System32\config\systemprofile\.aws

Linux

/root/.aws

Docker

~/.aws/:/root/.aws

(Note: Add this path under "volumes" in the docker-compose.yml file.)

Add the AWS CloudFront connector

To add the AWS CloudFront connector in Trust Lifecycle Manager:

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
Under Cloud services, select the option for AWS CloudFront.
Fill out the Add connector form:
- Name: Enter a friendly name for the connector to help identify it.
- Business unit: Select a business unit for this connector for administrative purposes. Only users assigned to this business unit can manage the connector.
- Managing sensor: Select an active DigiCert sensor on your network to establish and manage the connection to your Amazon Web Services (AWS) account.
- Account ID: Enter the ID of your AWS account with the CloudFront instance to manage through Trust Lifecycle Manager.
- Authentication method: Select an AWS authentication method and fill in the requested configuration parameters for it, as described in the authentication methods section above.
Select Add to create the AWS CloudFront connector with the configured settings.

What's next

Discovery

Trust Lifecycle Manager discovers existing certificates and unsecured endpoints in the connected AWS CloudFront instance.
On the Integrations > Connectors page, select the connector by name to view the connector details and see the number of assets Trust Lifecycle Manager found on it. You can use the links in the Assets found section to view those assets in your inventory.

Automation

To automate management of certificates in a connected AWS CloudFront instance, set up certificate lifecycle automation.
Select the DigiCert sensor enrollment method in any certificate automation profiles you create for managing CloudFront certificates.

In diesem Abschnitt: