AWS Certificate Manager (ACM)
With an AWS unified connector, you can use DigiCert® Trust Lifecycle Manager to import existing certificates and automate enrollment and delivery of new certificates to AWS Certificate Manager (ACM) from any of the issuing CAs available in your Trust Lifecycle Manager account.
The connector uses an on-premises DigiCert sensor within your network to help securely manage the integration with Amazon Web Services (AWS), for one of the following scopes:
Organization scope: Connect to multiple accounts within an AWS organization.
Account scope: Connect to a specific AWS account.
Once you add the connector, you have the option to import existing certificates from the connected ACM instance(s) to your centralized inventory in Trust Lifecycle Manager. From there, you can monitor certificate lifecycles and request new certificates with automated delivery to ACM, ensuring you always have valid certificates deployed.
Before you begin
You need at least one active DigiCert sensor on your network to establish and manage the connection to the AWS Certificate Manager service. To learn more, see Deploy and manage sensors.
Prepare to provide AWS credentials for the connector, using one of the methods described in the authentication methods section.
Make sure the AWS credentials are for an AWS account that has the minimum required permissions for either Organization scope or Account scope.
Authentication methods
Trust Lifecycle Manager supports different methods for authenticating to your Amazon Web Services (AWS) organization or account in an AWS unified connector.
Use one of the following AWS authentication methods to set up the connector in Trust Lifecycle Manager. The Configuration parameters column shows the parameters you need to provide in Trust Lifecycle Manager for each authentication method.
Authentication method | Configuration parameters | Description |
|---|---|---|
Self-authentication (Direct input) |
| Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager. |
Self-authentication (Secrets manager) |
| Use AWS credentials stored in a privileged access management (PAM) platform via a secrets manager connector:
|
Default AWS credential provider chain | — | Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways:
|
AWS profile name |
| Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system. |
For the Default AWS credential provider chain and AWS profile name authentication methods, the managing DigiCert sensor looks for the AWS config and credentials files in the following default directories, depending on the sensor operating system (OS):
Minimum required permissions
AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for organization scope or account scope. For organization scope, you can use either the management account or a member account for authentication.
To use the management account to authenticate an AWS unified connector with organization scope:
Make sure the AWS Account Management service is enabled for the AWS organization.
Create a user in the management account for the AWS organization, with the following permissions and inline custom policy.
Permissions
Permission | Purpose |
|---|---|
| List all member accounts in the organization. |
| Access and manage certificates in AWS Certificate Manager (ACM). |
| Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
|
Inline custom policy
Create an inline custom policy as shown below to access the AWS organization's member accounts from the management account via a common IAM role.
For the <Common IAM role name> parameter, provide the name of a common IAM role that provides access to ACM in all the member accounts. Use this same role name when configuring the AWS unified connector in DigiCert® Trust Lifecycle Manager.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:GetSessionToken",
"sts:GetAccessKeyInfo"
],
"Resource": [
"arn:aws:iam::*:role/<Common IAM role name>"
]
}
]
}Note
By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.
To use a member (non-management) account to authenticate an AWS unified connector with organization scope:
Make sure the AWS Account Management service is enabled for the AWS organization.
Follow the steps below to create a user in the member account and set up the required roles in the management account and child accounts.
Step 1: Create user in the member account
Create a user in the member account to use for authentication, with the following permissions and inline custom policy.
Permissions
Permission | Purpose |
|---|---|
| Validate access to the AWS Organizations service. |
| Access and manage certificates in AWS Certificate Manager (ACM). |
| Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
|
Inline custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:GetSessionToken",
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity"
],
"Resource": "arn:aws:iam::*:role/*"
}
]
}Step 2: Create custom role in the management account
Create a custom role (for example, CrossAccountAccess) in the management account, with the following properties:
Trusts the user account created in step 1.
Includes the
AWSOrganizationReadOnlypermission.(Optional) To discover certificates in the management account, also includes the
AWSCertificateManagerFullAccesspermission.
Step 3: Create custom role in all child accounts
Create a custom role in all the child accounts to manage through the connector, with the following properties:
Same name as the custom role created in the management account in step 2.
Trusts the user account created in step 1.
Includes the
AWSCertificateManagerFullAccesspermission.
To authenticate an AWS unified connector with account scope, create an IAM user in the AWS account with the following permissions.
Permission | Purpose |
|---|---|
| Access and manage certificates in AWS Certificate Manager (ACM). |
| Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
|
Add the AWS unified connector
To add the AWS unified connector in Trust Lifecycle Manager:
From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
Under Cloud services, select the option for AWS unified.
Complete the Add connector form as described in the following steps.
Configure general properties for the connector in the top section:
Name: Enter a friendly name for the connector to help identify it.
Business unit: Select a business unit for this connector for administrative purposes. Only users assigned to this business unit can manage the connector.
Managing sensor: Select an active DigiCert sensor on your network to establish and manage the connection to Amazon Web Services (AWS).
In the Link account section, select a scope and enter the requested information for it.
Under Additional settings, select the Enable ACM reimports checkbox to support the reimport of certificates into ACM using the same ARNs and service bindings. Admins can choose to skip reimports when requesting or automating a certificate.
If this option is not enabled, the system assigns a new ARN each time it delivers a certificate to ACM, which requires reconfiguration of service bindings for existing certificates.
Important
ACM reimports only work if the new certificate has at least one domain name, matching Key Usage and Extended Key Usage extension values, and the same key type and key size as the original certificate. For more information, refer to the official AWS documentation.
To import certificates into Trust Lifecycle Manager from ACM in the connected AWS account(s), toggle on Import attributes and configure the following:
Import certificates: All valid certificates get imported by default. Select whether to also import expired or revoked certificates. For expired certificates, select a date range to import.
Business unit: (Optional) Assign the imported certificates to a business unit in Trust Lifecycle Manager. Only admins for this business unit can manage the certificates.
Certificate assignment rules: (Optional) Select assignment rules for automatically assigning metadata to imported certificates.
Import frequency: Select a schedule for how often to check for new certificates to import from ACM (every 24 hours by default).
Select Add to create the AWS unified connector with the configured settings.
What's next
Discovery
If you enabled Import attributes, Trust Lifecycle Manager imports existing certificates from AWS Certificate Manager (ACM) in the connected AWS account(s).
On the Integrations > Connectors page, select the connector by name to view the connector details and see the number of assets Trust Lifecycle Manager found on it. You can use the links in the Assets found section to view those assets in your inventory.
For Organization scope connectors, select the View details link in the account section of the connector details page to see the complete hierarchy of AWS accounts that Trust Lifecycle Manager discovered in your AWS organization.
Automation
To enroll certificates from CAs in your Trust Lifecycle Manager account with automated delivery to AWS Certificate Manager (ACM), set up certificate lifecycle automation.
Select the
Admin web requestenrollment method in any certificate automation profiles you create for delivering certificates to ACM.Use the Admin web request function whenever you need to issue a new certificate from Trust Lifecycle Manager and deliver it to the connected ACM instance(s).