AWS Certificate Manager(ACM)
AWS 統合コネクタにより、DigiCert® Trust Lifecycle Manager を使用して、Trust Lifecycle Manager アカウントで使用可能ないずれかの発行 CA アカウントから、既存の証明書のインポートと、AWS Certificate Manager(ACM)への新しい証明書の登録と配信の自動化を行うことができます。
このコネクタは、ネットワーク内のオンプレミスの DigiCert センサーを使用して、以下のいずれかのスコープについて AWS(Amazon Web Services)との統合を安全に管理できるように支援します。
組織スコープ: AWS 組織内の複数のアカウントに接続します。
アカウントスコープ: 特定の AWS アカウントに接続します。
認証方法
Trust Lifecycle Manager は、AWS 統合コネクタで AWS(Amazon Web Services)組織またはアカウントに対するさまざまな認証方法をサポートしています。
Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.
Authentication method | Configuration parameters | Description |
|---|---|---|
Self-authentication (Direct input) |
| Trust Lifecycle Manager のコネクタ設定ページで、AWS クレデンシャルを入力します。 |
Self-authentication (Secrets manager) |
| Use AWS credentials stored in a privileged access management (PAM) platform via a secrets manager connector:
|
Default AWS credential provider chain | — | DigiCert 管理センサーに対して、以下のいずれかの方法で構成されたデフォルトの AWS クレデンシャルを使用します。
|
AWS profile name |
| 『AWS の公式ドキュメント』に記載されているとおり、管理センサー上のローカルの AWS config ファイルおよび credentials ファイル内の名前付きプロファイルから AWS クレデンシャルを使用します。[プロファイル名] パラメータに、センサーシステムで使用する AWS プロファイルの名前を入力します。 |
デフォルトの AWS クレデンシャルプロバイダチェーンとAWS プロファイル名の認証方法では、DigiCert 管理センサーは、センサーのオペレーティングシステム(OS)に応じて以下のデフォルトディレクトリ内の AWS config ファイルおよび credentials ファイルを探します。
必要な最小権限
AWS 統合コネクタでは、コネクタを組織スコープとアカウントスコープのどちらについて構成するかに応じて、以下の権限を持つ AWS ユーザーのクレデンシャルが必要です。
注記
This following instructions focus on AWS-managed permissions, the recommended approach for ease of setup and maintenance. For information about using granular AWS permissions instead, see Granular permissions for AWS connectors.
To use the management account to authenticate an AWS unified connector with organization scope:
Make sure the AWS Account Management service is enabled for the AWS organization.
Create a user in the management account for the AWS organization, with the following AWS-managed permissions:
Permission
Purpose
AWSOrganizationsReadOnlyAccessList all member accounts in the organization.
AWSCertificateManagerFullAccessAccess and manage certificates in AWS Certificate Manager (ACM).
ElasticLoadBalancingFullAccessManage certificates associated with Elastic Load Balancing (ELB) listeners.
CloudFrontFullAccessManage certificates associated with CloudFront distributions.
IAMReadOnlyAccessDiscover IAM server certificates.
SecretsManagerReadWriteTemporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.
Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.
Apply the following inline custom policy to the management account user, to enable access to the AWS organization's member accounts via a common IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetSessionToken", "sts:GetAccessKeyInfo" ], "Resource": [ "arn:aws:iam::*:role/<Common IAM role name>" ] } ] }For the <Common IAM role name> parameter, provide the name of a common IAM role to use for setting up access to the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager.
注記
デフォルトでは、AWS 組織のすべてのメンバーアカウントが
OrganizationAccountAccessRoleという共通の IAM ロールを持ちます。このデフォルトの IAM ロールを使用して統合をセットアップできます。また、カスタム IAM ロールを作成してすべてのメンバーアカウントに適用できます。Make sure the common IAM role referenced in the previous step is applied to all the member accounts to manage, and includes the following AWS-managed permissions:
AWSCertificateManagerFullAccessElasticLoadBalancingFullAccessCloudFrontFullAccessIAMReadOnlyAccess
To use a member (non-management) account to authenticate an AWS unified connector with organization scope:
Make sure the AWS Account Management service is enabled for the AWS organization.
Create a user in the member account to use for authentication, with the following AWS-managed permissions:
Permission
Purpose
AWSOrganizationsReadOnlyAccessValidate access to the AWS Organizations service.
AWSCertificateManagerFullAccessAccess and manage certificates in AWS Certificate Manager (ACM).
ElasticLoadBalancingFullAccessManage certificates associated with Elastic Load Balancing (ELB) listeners.
CloudFrontFullAccessManage certificates associated with CloudFront distributions.
IAMReadOnlyAccessDiscover IAM server certificates.
SecretsManagerReadWriteTemporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.
Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.
Apply the following inline custom policy to the member account user, for accessing the AWS organization's other member accounts:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:GetSessionToken", "sts:GetAccessKeyInfo" ], "Resource": "arn:aws:iam::*:role/*" } ] }Create a custom role (for example,
CrossAccountAccess) in the management account, with the following properties:Trusts the user account created in step 2.
Includes the
AWSOrganizationsReadOnlyAccesspermission.(Optional) To discover certificates in the management account itself, also includes the
AWSCertificateManagerFullAccesspermission.
Create a custom role in all the child accounts to manage through the connector, with the following properties:
Same name as the custom role created in the management account in step 4.
Trusts the member account user created in step 2.
Includes the following AWS-managed permissions:
以下の権限を持つ IAM ユーザーを AWS アカウントに作成します。
権限 | 目的 |
|---|---|
| AWS Certificate Manager(ACM)で証明書にアクセスし管理します。 |
| Manage certificates associated with Elastic Load Balancing (ELB) listeners. |
| Manage certificates associated with CloudFront distributions. |
| Discover IAM server certificates. |
| 発行された証明書と秘密鍵を ACM に配信する前に、AWS Secrets Manager に秘密鍵を一時的に保管します。以下の点に注意してください。
|
次の手順
After setting up the AWS credentials to use for authentication, you're ready to add an AWS unified connector in Trust Lifecycle Manager.