AWS unified connector

With an AWS unified connector, you can use DigiCert® Trust Lifecycle Manager to discover and automate certificates for AWS Certificate Manager (ACM) and Elastic Load Balancing (ELB), issuing certificates from any of the CAs available in your Trust Lifecycle Manager account.

The connector uses an on-premises DigiCert sensor within your network to help securely manage the integration with Amazon Web Services (AWS), for one of the following scopes:

Organization scope: Connect to multiple accounts within an AWS organization.
Account scope: Connect to a specific AWS account.

Once you add the connector, you have the option to import existing certificates from the connected ACM instances to your centralized inventory in Trust Lifecycle Manager. From there, you can manage and automate certificate lifecycles within ACM and for ELB load balancers, ensuring all your systems remain protected.

Before you begin

You need at least one active DigiCert sensor on your network to establish and manage the connection to the AWS Certificate Manager service. To learn more, see Deploy and manage sensors.
Prepare to provide AWS credentials for the connector, using one of the methods described in the authentication methods section.
Make sure the AWS credentials are for an AWS account that has the required permissions for either organization or account scope.

Authentication methods

Trust Lifecycle Manager supports different methods for authenticating your Amazon Web Services (AWS) organization or account in an AWS unified connector.

Supported AWS authentication methods

Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.

Authentication method	Configuration parameters	Description
Self-authentication (Direct input)	Access key Secret key	Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager.
Self-authentication (Secrets manager)	Secrets manager connector Access key Secret key	Use AWS credentials stored in a privileged access management (PAM) platform via a secrets manager connector: Select the Secrets manager connector to use. If there's only one available connector, it preselects. Enter references to the PAM vaults containing the Access key and Secret key. The reference format depends on the PAM service: BeyondTrust: Use the format SystemName/AccountName (for example, `AWSTLM/AdminAccount`). CyberArk: Use the format AccountName (for example, `My-AWS-credentials` ).
Default AWS credential provider chain	—	Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways: Environment variables: Configure the AWS credentials as environment variables on the sensor system, as described in the official AWS documentation. Default profile: Add the AWS credentials to the default profile in the AWS config and credentials files on the sensor system, as described in the official AWS documentation.
AWS profile name	Profile name	Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system.

AWS file locations on DigiCert sensors

For the Default AWS credential provider chain and AWS profile name authentication methods, the managing DigiCert sensor looks for the AWS config and credentials files in the following default directories, depending on the sensor operating system (OS):

DigiCert sensor OS	Default directory for AWS config and credentials files
Windows	C:\Windows\System32\config\systemprofile\.aws
Linux	/root/.aws
Docker	~/.aws/:/root/.aws (Note: Add this path under "volumes" in the docker-compose.yml file.)

DigiCert sensor OS

Default directory for AWS config and credentials files

Windows

C:\Windows\System32\config\systemprofile\.aws

Linux

/root/.aws

Docker

~/.aws/:/root/.aws

(Note: Add this path under "volumes" in the docker-compose.yml file.)

Required permissions

AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for organization scope or account scope. For organization scope, you can use either the management account or a member account for authentication.

Organization scope (management account)

To use the management account to authenticate an AWS unified connector with organization scope:

Make sure the AWS Account Management service is enabled for the AWS organization.

Create a user in the management account for the AWS organization, using one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions and inline custom policy.

Permission	Purpose
`AWSOrganizationsReadOnlyAccess`	List all member accounts in the organization.
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

In addition to the above permissions, create an inline custom policy (as shown below) to access the AWS organization's member accounts from the management account via a common IAM role. For the <Common IAM role name> parameter, provide the name of a common IAM role that provides access to ACM and ELB in all the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole",
               "sts:GetSessionToken",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": [
               "arn:aws:iam::*:role/<Common IAM role name>"
            ]
       }
   ]
}

Notice

By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.

Common IAM role for member accounts

The common IAM role used for the member accounts must include one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeAccountLimits
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "elasticloadbalancing:DescribeAccountLimits",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListRoots",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "account:ListRegions",
                "secretsmanager:ListSecrets",
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DeleteSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutSecretValue",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListSigningCertificates",
                "iam:GetServerCertificate",
                "sts:AssumeRole",
                "sts:GetSessionToken",
                "sts:GetAccessKeyInfo"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Common IAM role for member accounts

In addition, you need a common IAM role that provides access to ACM and ELB in all the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.

Notice

The common IAM role used for the member accounts must include one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeAccountLimits
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Organization scope (member account)

To use a member (non-management) account to authenticate an AWS unified connector with organization scope:

Make sure the AWS Account Management service is enabled for the AWS organization.
Follow the steps below to create a user in the member account and set up the required roles in the management account and child accounts.

Step 1: Create user in the member account

Create a user in the member account to use for authentication, using one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions and inline custom policy.

Permissions

Permission	Purpose
`AWSOrganizationsReadOnlyAccess`	Validate access to the AWS Organizations service.
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Inline custom policy

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole",
               "sts:GetSessionToken",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": "arn:aws:iam::*:role/*"
       }
   ]
}

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "elasticloadbalancing:DescribeAccountLimits",
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListRoots",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "account:ListRegions",
                "secretsmanager:ListSecrets",
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DeleteSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutSecretValue",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListSigningCertificates",
                "iam:GetServerCertificate",
                "sts:AssumeRole",
                "sts:GetSessionToken",
                "sts:GetAccessKeyInfo"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Step 2: Create custom role in the management account

Create a custom role (for example, CrossAccountAccess) in the management account, with the following properties:

Trusts the user account created in step 1.
Includes the AWSOrganizationReadOnly permission.
(Optional) To discover certificates in the management account, also includes the AWSCertificateManagerFullAccess permission.

Step 3: Create custom role in all child accounts

Create a custom role in all the child accounts to manage through the connector, with the following properties:

Same name as the custom role created in the management account in step 2.
Trusts the user account created in step 1.

Includes one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeAccountLimits
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Account scope

To authenticate an AWS unified connector with account scope, create an IAM user in the AWS account and use one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions.

Permission	Purpose
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": [
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:ModifyLoadBalancerAttributes",
				"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
				"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
				"elasticloadbalancing:DescribeListenerAttributes",
				"elasticloadbalancing:DescribeListenerCertificates",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeSSLPolicies",
				"elasticloadbalancing:AddListenerCertificates",
				"elasticloadbalancing:ModifyListener",
				"elasticloadbalancing:ModifyListenerAttributes",
				"elasticloadbalancing:RemoveListenerCertificates",
				"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
				"acm:ListCertificates",
				"acm:DescribeCertificate",
				"acm:GetCertificate",
				"acm:ListTagsForCertificate",
				"acm:ImportCertificate",
				"acm:AddTagsToCertificate",
				"elasticloadbalancing:DescribeAccountLimits",
				"secretsmanager:ListSecrets",
				"secretsmanager:GetSecretValue",
				"secretsmanager:ListSecretVersionIds",
				"secretsmanager:DeleteSecret",
				"secretsmanager:CreateSecret",
				"secretsmanager:PutSecretValue",
				"iam:ListServerCertificates",
				"iam:ListServerCertificateTags",
				"iam:ListSigningCertificates",
				"iam:GetServerCertificate"
			],
			"Resource": [
				"*"
			]
		}
	]
}

Add the AWS unified connector

To add the AWS unified connector in Trust Lifecycle Manager:

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
Under Cloud services, select the option for AWS unified.
Complete the Add connector form as described in the following steps.
Configure general properties for the connector in the top section:
- Name: Enter a friendly name for the connector to help identify it.
- Business unit: Select a business unit for this connector for administrative purposes. Only users assigned to this business unit can manage the connector.
- Managing sensor: Select an active DigiCert sensor on your network to establish and manage the connection to Amazon Web Services (AWS).
In the Link account section, select a scope and enter the requested information for it.
sidebar. Organization scope
To connect to an AWS organization and all its child accounts:
AWS scope: Select Organization.
Account ID: Enter the ID of the management or member account to use for authentication in the AWS organization.
IAM role: Enter the name of an IAM role present in all the child accounts to manage, which provides access to ACM and ELB in each account.
Organizational unit ID (optional): To limit the scope of the connector, enter the ID of an organizational unit (OU) containing the AWS accounts and nested OUs to manage. Leave empty to manage all accounts in the organization.
Authentication method: Select an AWS authentication method and fill in the requested configuration parameters for it, as described in the authentication methods section above.
sidebar. Account scope
To connect to a specific AWS account:
AWS scope: Select Account.
Account ID: Enter the ID of the AWS account to connect to.
Authentication method: Select an AWS authentication method and fill in the requested configuration parameters for it, as described in the authentication methods section above.
Under Additional settings, select the Enable ACM reimports checkbox to support the reimport of certificates into ACM using the same ARNs and service bindings. Admins can choose to skip reimports when requesting or automating a certificate.
If this option is not enabled, the system assigns a new ARN each time it delivers a certificate to ACM, which requires reconfiguration of service bindings for existing certificates.
Important
ACM reimports only work if the new certificate has at least one domain name, matching Key Usage and Extended Key Usage extension values, and the same key type and key size as the original certificate. For more information, refer to the official AWS documentation.
To import certificates into Trust Lifecycle Manager from ACM in the connected AWS account(s), toggle on Import attributes and configure the following:
- Import certificates: All valid certificates get imported by default. Select whether to also import expired or revoked certificates. For expired certificates, select a date range to import.
- Business unit: (Optional) Assign the imported certificates to a business unit in Trust Lifecycle Manager. Only admins for this business unit can manage the certificates.
- Certificate assignment rules: (Optional) Select assignment rules for automatically assigning metadata to imported certificates.
- Import frequency: Select a schedule for how often to check for new certificates to import from ACM (every 24 hours by default).
Select Add to create the AWS unified connector with the configured settings.

What's next

Discovery

Trust Lifecycle Manager imports certificates from any Elastic Load Balancing (ELB) Application, Network, or Classic load balancers in the connected AWS account(s).
If you enabled Import attributes, Trust Lifecycle Manager also imports all other existing certificates from AWS Certificate Manager (ACM) in the connected AWS account(s).
On the Integrations > Connectors page, select the connector by name to view the connector details and see the number of assets Trust Lifecycle Manager found on it. You can use the links in the Assets found section to view those assets in your inventory.
For Organization scope connectors, select the View details link in the account section of the connector details page to see the complete hierarchy of AWS accounts that Trust Lifecycle Manager discovered in your AWS organization.

Automation

Use the managed automation solution to automate certificate deployments for AWS Certificate Manager (ACM) and Elastic Load Balancing (ELB).

To enroll and deliver certificates to ACM:

Select the Admin web request enrollment method in certificate profiles for automated delivery to ACM.
Use the Admin web request function to issue a new certificate from Trust Lifecycle Manager and deliver it to ACM in the connected AWS accounts.

To manage certificates for ELB load balancers:

Select the DigiCert sensor enrollment method in certificate profiles for automating the certificates deployed on ELB load balancers.
To learn more, see View and manage ELB load balancer assets.

In this section:

AWS unified connector

Before you begin

Authentication methods

Supported AWS authentication methods

AWS file locations on DigiCert sensors

Required permissions

Organization scope (management account)

Notice

Notice

Organization scope (member account)

Step 1: Create user in the member account

Step 2: Create custom role in the management account

Step 3: Create custom role in all child accounts

Account scope

Add the AWS unified connector

Important

What's next

Discovery

Automation