Add an AWS unified connector

With an AWS unified connector, you can use DigiCert® Trust Lifecycle Manager to discover and automate certificates for AWS Certificate Manager (ACM), CloudFront, and Elastic Load Balancing (ELB), issuing certificates from any of the CAs available in your Trust Lifecycle Manager account.

The connector uses an on-premises DigiCert sensor within your network to help securely manage the integration with Amazon Web Services (AWS), for one of the following scopes:

Organization scope: Connect to multiple accounts within an AWS organization.
Account scope: Connect to a specific AWS account.

When you add the connector, you have the option to import existing certificates from connected ACM instances to your centralized inventory in Trust Lifecycle Manager. From there, you can manage and automate lifecycles for all your ACM, CloudFront, and ELB certificates, ensuring all your systems remain protected.

Important

For AWS China, the AWS unified connector does not currently support CloudFront or ELB integrations.

Before you begin

You need at least one active DigiCert sensor on your network to establish and manage the connection to Amazon Web Services (AWS). To learn more, see Deploy and manage sensors.
Set up the required AWS credentials for authenticating the connector. To learn more, see Configure authentication and permissions for AWS connectors.

Add the AWS unified connector

To add the AWS unified connector in Trust Lifecycle Manager:

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
Under Cloud services, select the option for AWS unified.
Complete the Add connector form as described in the following steps.
Configure general properties for the connector in the top section:
- Name: Enter a friendly name for the connector to help identify it.
- Business unit: Select a business unit for this connector for administrative purposes. Only users assigned to this business unit can manage the connector.
- Managing sensor: Select an active DigiCert sensor on your network to establish and manage the connection to Amazon Web Services (AWS).
In the Link account section, select a scope and enter the requested information for it.
sidebar. Organization scope
To connect to an AWS organization and all its child accounts:
AWS scope: Select Organization.
Account ID: Enter the ID of the management or member account to use for authentication in the AWS organization.
IAM role: Enter the name of an IAM role present in all the child accounts to manage, which provides access to ACM and ELB in each account.
Organizational unit ID (optional): To limit the scope of the connector, enter the ID of an organizational unit (OU) containing the AWS accounts and nested OUs to manage. Leave empty to manage all accounts in the organization.
Authentication method: Select an AWS authentication method and fill in the requested configuration parameters for it. To learn more, see authentication methods.
sidebar. Account scope
To connect to a specific AWS account:
AWS scope: Select Account.
Account ID: Enter the ID of the AWS account to connect to.
Authentication method: Select an AWS authentication method and fill in the requested configuration parameters for it. To learn more, see authentication methods.
Under Additional settings, select the Enable ACM reimports checkbox to support the reimport of certificates into ACM using the same ARNs and service bindings. Admins can choose to skip reimports when requesting or automating a certificate.
If this option is not enabled, the system assigns a new ARN each time it delivers a certificate to ACM, which requires reconfiguration of service bindings for existing certificates.
Important
ACM reimports only work if the new certificate has at least one domain name, matching Key Usage and Extended Key Usage extension values, and the same key type and key size as the original certificate. For more information, refer to the official AWS documentation.
To import certificates into Trust Lifecycle Manager from ACM in the connected AWS account(s), toggle on Import attributes and configure the following:
- Import certificates: All valid certificates get imported by default. Select whether to also import expired or revoked certificates. For expired certificates, select a date range to import.
- Business unit: (Optional) Assign the imported certificates to a business unit in Trust Lifecycle Manager. Only admins for this business unit can manage the certificates.
- Certificate assignment rules: (Optional) Select assignment rules for automatically assigning metadata to imported certificates.
- Import frequency: Select a schedule for how often to check for new certificates to import from ACM (every 24 hours by default).
Select Add to create the AWS unified connector with the configured settings.

What's next

Discovery

Trust Lifecycle Manager imports certificates from any CloudFront distributions and Elastic Load Balancing (ELB) Application, Network, or Classic load balancers in the connected AWS account(s).
If you enabled Import attributes, Trust Lifecycle Manager also imports all other existing certificates from AWS Certificate Manager (ACM) in the connected AWS account(s).
On the Integrations > Connectors page, select the connector by name to view the connector details and see the number of assets Trust Lifecycle Manager found on it. You can use the links in the Assets found section to view those assets in your inventory.
For Organization scope connectors, select the View details link in the account section of the connector details page to see the complete hierarchy of AWS accounts that Trust Lifecycle Manager discovered in your AWS organization.

Automation

Use the managed automation solution to automate certificate deployments for the services in connected AWS accounts, as follows:

AWS service	Automation setup
AWS Certificate Manager (ACM)	Select the `Admin web request` enrollment method in certificate profiles for automated delivery to ACM. Use the Admin web request function to request a new certificate from Trust Lifecycle Manager and deliver it to ACM in the connected AWS accounts.
CloudFront	Select the `DigiCert sensor` enrollment method in certificate profiles for automating the certificates deployed in CloudFront distributions.
Elastic Load Balancing (ELB)	Select the `DigiCert sensor` enrollment method in certificate profiles for automating the certificates deployed on ELB load balancers. To learn more, see View and manage ELB load balancer assets.

Endpoint locations for AWS certificates

The Inventory > Endpoints table uses the following formats for the endpoint Location field values of certificates deployed to AWS services and accessed via an AWS unified connector:

AWS service	Endpoint location value	Example
AWS Certificate Manager (ACM)	The Amazon Resource Name (ARN) for the certificate object.	`arn:aws:acm:us-east-1:123456789012:certificate/7f3c9d21-b8a4-4e6f-a2d7-91c5e8b4f632`
CloudFront	The ARN for the CloudFront distribution.	`arn:aws:cloudfront::123456789012:distribution/E1ABCDEF234567:443`
Elastic Load Balancing (ELB)	The ARN for the ELB listener.	`arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/my-network-lb/1234567890abcdef/abcdef1234567890:443`

Tip

Use the IP/Port filter in the Location column header to filter by specific parts of the endpoint location value, such as the AWS region (us-east-1) or account ID (123456789012).

In this section: