AWS Certificate Manager（ACM）

AWS 統合コネクタにより、DigiCert® Trust Lifecycle Manager を使用して、Trust Lifecycle Manager アカウントで使用可能ないずれかの発行 CA アカウントから、既存の証明書のインポートと、AWS Certificate Manager（ACM）への新しい証明書の登録と配信の自動化を行うことができます。

このコネクタは、ネットワーク内のオンプレミスの DigiCert センサーを使用して、以下のいずれかのスコープについて AWS（Amazon Web Services）との統合を安全に管理できるように支援します。

組織スコープ: AWS 組織内の複数のアカウントに接続します。
アカウントスコープ: 特定の AWS アカウントに接続します。

認証方法

Trust Lifecycle Manager は、AWS 統合コネクタで AWS（Amazon Web Services）組織またはアカウントに対するさまざまな認証方法をサポートしています。

Supported AWS authentication methods

Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.

Authentication method	Configuration parameters	Description
Self-authentication (Direct input)	Access key Secret key	Trust Lifecycle Manager のコネクタ設定ページで、AWS クレデンシャルを入力します。
Self-authentication (Secrets manager)	Secrets manager connector Access key Secret key	Use AWS credentials stored in a privileged access management (PAM) platform via a secrets manager connector: Select the Secrets manager connector to use. If there's only one available connector, it preselects. Enter references to the PAM vaults containing the Access key and Secret key. The reference format depends on the PAM service: BeyondTrust: Use the format SystemName/AccountName (for example, `AWSTLM/AdminAccount`). CyberArk: Use the format AccountName (for example, `My-AWS-credentials` ).
Default AWS credential provider chain	—	DigiCert 管理センサーに対して、以下のいずれかの方法で構成されたデフォルトの AWS クレデンシャルを使用します。環境変数: 『AWS の公式ドキュメント』に記載されているとおり、センサーシステムで環境変数として AWS クレデンシャルを設定します。デフォルトプロファイル: 『AWS の公式ドキュメント』に記載されているとおり、AWS クレデンシャルを、センサーシステム上の AWS config ファイルと credentials ファイル内のデフォルトプロファイルに追加します。
AWS profile name	Profile name	『AWS の公式ドキュメント』に記載されているとおり、管理センサー上のローカルの AWS config ファイルおよび credentials ファイル内の名前付きプロファイルから AWS クレデンシャルを使用します。［プロファイル名］パラメータに、センサーシステムで使用する AWS プロファイルの名前を入力します。

DigiCert センサーでのAWS ファイルの場所

デフォルトの AWS クレデンシャルプロバイダチェーンとAWS プロファイル名の認証方法では、DigiCert 管理センサーは、センサーのオペレーティングシステム（OS）に応じて以下のデフォルトディレクトリ内の AWS config ファイルおよび credentials ファイルを探します。

DigiCert センサーの OS	AWS config および credentials ファイルのデフォルトディレクトリ
Windows	C:\Windows\System32\config\systemprofile\.aws
Linux	/root/.aws
Docker	~/.aws/:/root/.aws （注: このパスを、docker-compose.yml ファイル内の「volumes」の下に追加します。）

DigiCert センサーの OS

AWS config および credentials ファイルのデフォルトディレクトリ

Windows

C:\Windows\System32\config\systemprofile\.aws

Linux

/root/.aws

Docker

~/.aws/:/root/.aws

（注: このパスを、docker-compose.yml ファイル内の「volumes」の下に追加します。）

必要な最小権限

AWS 統合コネクタでは、コネクタを組織スコープとアカウントスコープのどちらについて構成するかに応じて、以下の権限を持つ AWS ユーザーのクレデンシャルが必要です。

組織スコープ

To use the management account to authenticate an AWS unified connector with organization scope:

Make sure the AWS Account Management service is enabled for the AWS organization.

Create a user in the management account for the AWS organization, using one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions and inline custom policy.

Permission	Purpose
`AWSOrganizationsReadOnlyAccess`	List all member accounts in the organization.
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`CloudFrontFullAccess`	Manage certificates associated with CloudFront distributions.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

以下に示すとおり、共通の IAM ロールを介して管理アカウントから AWS 組織のメンバーアカウントにアクセスするためのインラインのカスタムポリシーを作成します。

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole",
               "sts:GetSessionToken",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": [
               "arn:aws:iam::*:role/<Common IAM role name>"
            ]
       }
   ]
}

注記

デフォルトでは、AWS 組織のすべてのメンバーアカウントが OrganizationAccountAccessRole という共通の IAM ロールを持ちます。このデフォルトの IAM ロールを使用して統合をセットアップできます。また、カスタム IAM ロールを作成してすべてのメンバーアカウントに適用できます。

Common IAM role for member accounts

The common IAM role used for the member accounts must include one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- CloudFrontFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeAccountLimits
cloudfront:ListDistributions
cloudfront:GetDistribution
cloudfront:UpdateDistribution
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListRoots",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "account:ListRegions",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeAccountLimits",
                "cloudfront:ListDistributions",
		"cloudfront:GetDistribution",
		"cloudfront:UpdateDistribution",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListSigningCertificates",
                "iam:GetServerCertificate",
                "secretsmanager:ListSecrets",
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DeleteSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutSecretValue",
                "sts:AssumeRole",
                "sts:GetSessionToken",
                "sts:GetAccessKeyInfo"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Common IAM role for member accounts

In addition, you need a common IAM role that provides access to ACM and ELB in all the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.

注記

The common IAM role used for the member accounts must include one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- CloudFrontFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeAccountLimits
cloudfront:ListDistributions
cloudfront:GetDistribution
cloudfront:UpdateDistribution
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

Organization scope (member account)

To use a member (non-management) account to authenticate an AWS unified connector with organization scope:

Make sure the AWS Account Management service is enabled for the AWS organization.
Follow the steps below to create a user in the member account and set up the required roles in the management account and child accounts.

Step 1: Create user in the member account

Create a user in the member account to use for authentication, using one of the following methods to apply permissions.

For the simplest setup, apply the following AWS-managed permissions and inline custom policy.

Permissions

Permission	Purpose
`AWSOrganizationsReadOnlyAccess`	Validate access to the AWS Organizations service.
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`CloudFrontFullAccess`	Manage certificates associated with CloudFront distributions.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Inline custom policy

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:AssumeRole",
               "sts:GetSessionToken",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": "arn:aws:iam::*:role/*"
       }
   ]
}

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "organizations:ListAccounts",
                "organizations:ListAccountsForParent",
                "organizations:ListChildren",
                "organizations:ListParents",
                "organizations:ListOrganizationalUnitsForParent",
                "organizations:ListRoots",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:DescribeOrganizationalUnit",
                "account:ListRegions",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "acm:GetCertificate",
                "acm:ListTagsForCertificate",
                "acm:ImportCertificate",
                "acm:AddTagsToCertificate",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeAccountLimits",
                "cloudfront:ListDistributions",
		"cloudfront:GetDistribution",
		"cloudfront:UpdateDistribution",
                "iam:ListServerCertificates",
                "iam:ListServerCertificateTags",
                "iam:ListSigningCertificates",
                "iam:GetServerCertificate",
                "secretsmanager:ListSecrets",
                "secretsmanager:GetSecretValue",
                "secretsmanager:ListSecretVersionIds",
                "secretsmanager:DeleteSecret",
                "secretsmanager:CreateSecret",
                "secretsmanager:PutSecretValue",
                "sts:AssumeRole",
                "sts:GetSessionToken",
                "sts:GetAccessKeyInfo"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Step 2: Create custom role in the management account

Create a custom role (for example, CrossAccountAccess) in the management account, with the following properties:

Trusts the user account created in step 1.
Includes the AWSOrganizationReadOnly permission.
(Optional) To discover certificates in the management account, also includes the AWSCertificateManagerFullAccess permission.

Step 3: Create custom role in all child accounts

Create a custom role in all the child accounts to manage through the connector, with the following properties:

Same name as the custom role created in the management account in step 2.
Trusts the user account created in step 1.

Includes one of the following permission sets:

AWS-managed permissions:
- AWSCertificateManagerFullAccess
- ElasticLoadBalancingFullAccess
- CloudFrontFullAccess
- IAMReadOnlyAccess

Custom policy with the following actions:

acm:ListCertificates
acm:DescribeCertificate
acm:GetCertificate
acm:ListTagsForCertificate
acm:ImportCertificate
acm:AddTagsToCertificate
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:SetLoadBalancerListenerSSLCertificate
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeSSLPolicies
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyListenerAttributes
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:DescribeLoadBalancerPolicyTypes
elasticloadbalancing:DescribeAccountLimits
cloudfront:ListDistributions
cloudfront:GetDistribution
cloudfront:UpdateDistribution
iam:ListServerCertificates
iam:ListServerCertificateTags
iam:ListSigningCertificates
iam:GetServerCertificate

アカウントスコープ

以下の権限を持つ IAM ユーザーを AWS アカウントに作成します。

For the simplest setup, apply the following AWS-managed permissions.

権限	目的
`AWSCertificateManagerFullAccess`	AWS Certificate Manager（ACM）で証明書にアクセスし管理します。
`ElasticLoadBalancingFullAccess`	Manage certificates associated with Elastic Load Balancing (ELB) listeners.
`CloudFrontFullAccess`	Manage certificates associated with CloudFront distributions.
`IAMReadOnlyAccess`	Discover IAM server certificates.
`SecretsManagerReadWrite`	発行された証明書と秘密鍵を ACM に配信する前に、AWS Secrets Manager に秘密鍵を一時的に保管します。以下の点に注意してください。この権限は任意です。省略した場合、AWS Secrets Manager の代わりにDigiCert 管理センサーが一時的な鍵保管に使用されます。証明書が発行され、秘密鍵と一緒に ACM に配信されたら、一時鍵は自動的に削除されます。

Instead of AWS-managed permissions, you can use granular permissions in a least-privilege model. To do so, create a custom policy with the following actions.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": [
                                "acm:ListCertificates",
				"acm:DescribeCertificate",
				"acm:GetCertificate",
				"acm:ListTagsForCertificate",
				"acm:ImportCertificate",
				"acm:AddTagsToCertificate",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:ModifyLoadBalancerAttributes",
				"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
				"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
				"elasticloadbalancing:DescribeListenerAttributes",
				"elasticloadbalancing:DescribeListenerCertificates",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeSSLPolicies",
				"elasticloadbalancing:AddListenerCertificates",
				"elasticloadbalancing:ModifyListener",
				"elasticloadbalancing:ModifyListenerAttributes",
				"elasticloadbalancing:RemoveListenerCertificates",
				"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                                "elasticloadbalancing:DescribeAccountLimits",
                                "cloudfront:ListDistributions",
				"cloudfront:GetDistribution",
				"cloudfront:UpdateDistribution",
				"iam:ListServerCertificates",
				"iam:ListServerCertificateTags",
				"iam:ListSigningCertificates",
				"iam:GetServerCertificate",	
				"secretsmanager:ListSecrets",
				"secretsmanager:GetSecretValue",
				"secretsmanager:ListSecretVersionIds",
				"secretsmanager:DeleteSecret",
				"secretsmanager:CreateSecret",
				"secretsmanager:PutSecretValue"
			],
			"Resource": [
				"*"
			]
		}
	]
}

次の手順

After setting up the AWS credentials to use for authentication, you're ready to add an AWS unified connector in Trust Lifecycle Manager.

このセクションの内容: