AWS Certificate Manager (ACM)

With an AWS unified connector, you can use DigiCert® Trust Lifecycle Manager to import existing certificates and automate enrollment and delivery of new certificates to AWS Certificate Manager (ACM) from any of the issuing CAs available in your Trust Lifecycle Manager account.

The connector uses an on-premises DigiCert sensor within your network to help securely manage the integration with Amazon Web Services (AWS), for one of the following scopes:

Organization scope: Connect to multiple accounts within an AWS organization.
Account scope: Connect to a specific AWS account.

When you add the connector, you have the option to schedule imports from the connected ACM instance(s) to have Trust Lifecycle Manager import existing certificates to your centralized inventory. From there, you can monitor certificate lifecycles and request new certificates with automated delivery to ACM, ensuring you always have valid certificates deployed.

Before you begin

You need at least one active DigiCert sensor on your network to establish and manage the connection to the AWS Certificate Manager service. To learn more, see Deploy and manage sensors.
Make sure the sensor system is set up with your AWS credentials or that you have the AWS access key and secret key on hand to use to configure the connector, as described in the authentication methods section.
Make sure the AWS credentials you use are for an AWS account that has the minimum required permissions for either Organization scope or Account scope.

Authentication methods

Trust Lifecycle Manager supports different methods for authenticating to your Amazon Web Services (AWS) organization or account in an AWS unified connector.

Supported AWS authentication methods

Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.

Authentication method	Configuration parameters	Description
Self-authentication	Access key Secret key	Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager.
Default AWS credential provider chain	—	Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways: Environment variables: Configure the AWS credentials as environment variables on the sensor system, as described in the official AWS documentation. Default profile: Add the AWS credentials to the default profile in the AWS config and credentials files on the sensor system, as described in the official AWS documentation.
AWS profile name	Profile name	Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system.

AWS file locations on DigiCert sensors

For the Default AWS credential provider chain and AWS profile name authentication methods, the managing DigiCert sensor looks for the AWS config and credentials files in the following default directories, depending on the sensor operating system (OS):

DigiCert sensor OS	Default directory for AWS config and credentials files
Windows	C:\Windows\System32\config\systemprofile\.aws
Linux	/root/.aws
Docker	~/.aws/:/root/.aws (Note: Add this path under "volumes" in the docker-compose.yml file.)

DigiCert sensor OS

Default directory for AWS config and credentials files

Windows

C:\Windows\System32\config\systemprofile\.aws

Linux

/root/.aws

Docker

~/.aws/:/root/.aws

(Note: Add this path under "volumes" in the docker-compose.yml file.)

Minimum required permissions

AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for organization scope or account scope.

Organization scope

Make sure the AWS Account Management service is enabled for the AWS organization.

Create a user in the management account for the AWS organization, with the following permissions and inline custom policy.

Permissions

Permission	Purpose
`AWSOrganizationsReadOnlyAccess`	List all member accounts in the organization.
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Inline custom policy

Create an inline custom policy as shown below to access the AWS organization's member accounts from the management account via a common IAM role.

For the <Common IAM role name> parameter, provide the name of a common IAM role that provides access to ACM in all the member accounts. Use this same role name when configuring the AWS unified connector in DigiCert® Trust Lifecycle Manager.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:GetSessionToken",
               "sts:AssumeRole",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": [
               "arn:aws:iam::*:role/<Common IAM role name>"
            ]
       }
   ]
}

Aviso

By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.

Account scope

Create an IAM user in the AWS account, with the following permissions.

Permission	Purpose
`AWSCertificateManagerFullAccess`	Access and manage certificates in AWS Certificate Manager (ACM).
`SecretsManagerReadWrite`	Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that: This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager. Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Add the AWS unified connector

To add the AWS unified connector in Trust Lifecycle Manager:

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
Under Cloud services, select the option for AWS unified.
Complete the Add connector form as described in the following steps.
Configure general properties for the connector in the top section:
- Name: Enter a friendly name for the connector to help identify it.
- Business unit: Select a business unit for this connector for administrative purposes. Only users assigned to this business unit can manage the connector.
- Managing sensor: Select an active DigiCert sensor on your network to establish and manage the connection to Amazon Web Services (AWS).
In the Link account section, select a scope and enter the requested information for it.
|
barra lateral. Organization scope
To connect to an AWS organization and all its child accounts:
AWS scope: Select Organization.
Account ID: Enter the ID of the management account in the AWS organization.
IAM role: Enter the name of an IAM role present in all the child accounts to manage, which provides access to ACM in each account.
Authentication method: Select an AWS authentication method and fill in the requested configuration parameters for it, as described in the authentication methods section above.
barra lateral. Account scope
To connect to a specific AWS account:
AWS scope: Select Account.
Account ID: Enter the ID of the AWS account to connect to.
Authentication method: Select an AWS authentication method and fill in the requested configuration parameters for it, as described in the authentication methods section above.
To import certificates from ACM in the connected AWS account(s), toggle on Import attributes and configure the following:
- Import certificates: All valid certificates get imported by default. Select whether to also import expired or revoked certificates. For expired certificates, select a date range to import.
- Business unit (optional): Assign the imported certificates to a business unit in Trust Lifecycle Manager. Only admins for this business unit can manage the certificates.
- Tags (optional): Assign tags to the imported certificates to help identify and manage them in Trust Lifecycle Manager.
- Import frequency: Select a schedule for how often to check for new certificates to import from ACM (every 24 hours by default).
Select Add to create the AWS unified connector with the configured settings.

What's next

Discovery

If you enabled Import attributes, Trust Lifecycle Manager looks for existing certificates to import from AWS Certificate Manager (ACM) in the connected AWS account(s). It adds the discovered certificates to your centralized Inventory.
On the Integrations > Connectors page, select the connector by name to view the connector details and see the number of assets Trust Lifecycle Manager found on it. You can use the links in the Assets found section to view those assets in your inventory.
For Organization scope connectors, select the View details link in the account section of the connector details page to see the complete hierarchy of AWS accounts that Trust Lifecycle Manager discovered in your AWS organization.

Automation

To enroll certificates from CAs in your Trust Lifecycle Manager account with automated delivery to AWS Certificate Manager (ACM), set up certificate lifecycle automation.
Select the Admin web request enrollment method in any certificate automation profiles you create for delivering certificates to ACM.
Use the Admin web request function whenever you need to issue a new certificate from Trust Lifecycle Manager and deliver it to the connected ACM instance(s).