Task Statement 4.3: Implement and maintain confidentiality of data andcommunications of the network.
📘AWS Certified Advanced Networking – Specialty
1. What is Certificate Management in AWS?
In modern network security, certificates are used to encrypt communication and prove identity between systems.
A certificate management solution is a system that:
- Creates digital certificates
- Issues certificates to trusted systems
- Renews certificates automatically
- Revokes certificates when needed
- Ensures secure communication (HTTPS/TLS)
In AWS, this is mainly done using:
- AWS Certificate Manager (ACM)
- AWS Private Certificate Authority (ACM PCA)
2. Why Certificates are Important (Exam Concept)
Certificates are used for:
1. Encryption (Confidentiality)
They enable TLS/SSL encryption, ensuring data cannot be read if intercepted.
2. Identity Verification
They confirm:
- The server is real
- The client is trusted (optional mutual authentication)
3. Secure Communication
Used in:
- HTTPS websites
- API communication
- Internal microservices
- Load balancers
- Hybrid cloud connections
3. AWS Certificate Manager (ACM)
What is ACM?
AWS Certificate Manager is a fully managed AWS service that helps you:
- Request SSL/TLS certificates
- Deploy them to AWS services
- Automatically renew them
Key Features of ACM
1. Free Public Certificates
- ACM provides public SSL/TLS certificates at no cost
- Issued by trusted public Certificate Authorities
2. Automatic Renewal
- ACM automatically renews certificates before expiration
- No manual intervention needed
3. AWS Service Integration
ACM works directly with:
- Elastic Load Balancer (ALB, NLB with TLS)
- CloudFront
- API Gateway
4. No Private Key Access
- AWS manages private keys securely
- You cannot export private keys for public ACM certificates
Where ACM is Used in Networking (Exam Focus)
- HTTPS websites behind Application Load Balancer
- Secure API endpoints in API Gateway
- CloudFront distributions for secure content delivery
- Internal TLS between services (limited cases)
ACM Limitation (Important Exam Point)
- ACM public certificates cannot be exported
- You cannot use them on:
- Custom EC2 applications directly
- On-prem servers
4. AWS Private Certificate Authority (ACM PCA)
What is ACM PCA?
AWS Private Certificate Authority is a fully managed private certificate authority service.
It allows organizations to:
- Create their own internal CA
- Issue private certificates
- Control trust within private networks
Why ACM PCA is Needed?
ACM alone is not enough when:
- You need internal-only communication
- You require custom trust chains
- You need certificates for:
- EC2 instances
- Internal microservices
- Kubernetes clusters (EKS)
- Hybrid environments (AWS + on-prem)
Key Features of ACM PCA
1. Private Trust
- Certificates are trusted only inside your organization
- Not publicly trusted by browsers
2. Full Control
You control:
- Certificate issuance rules
- Certificate lifecycle
- Revocation policies
3. Exportable Certificates
Unlike ACM public certificates:
- Private certificates can be exported
- Can be installed on EC2 or on-prem servers
4. Integration with AWS Services
Works with:
- Elastic Load Balancers (internal TLS)
- API Gateway (private APIs)
- Kubernetes (EKS)
- CloudHSM (optional for stronger security)
5. ACM vs ACM PCA (VERY IMPORTANT FOR EXAM)
| Feature | ACM | ACM PCA |
|---|---|---|
| Type | Public certificates | Private certificates |
| Trust | Internet trusted | Internal trusted |
| Cost | Free for AWS-issued certs | Paid service |
| Export private key | ❌ No | ✅ Yes |
| Use case | Public websites, APIs | Internal apps, hybrid systems |
| Renewal | Automatic | Manual or automated via rules |
| Control | Limited | Full control |
6. Certificate Lifecycle (Exam Concept)
A certificate goes through:
1. Request / Issue
- ACM or ACM PCA creates a certificate
2. Validation
- ACM verifies domain ownership (DNS or email validation)
3. Deployment
- Installed on:
- Load balancers
- CloudFront
- Internal services
4. Use (TLS Communication)
- Encrypts data in transit using HTTPS/TLS
5. Renewal
- ACM: automatic
- ACM PCA: configurable automation
6. Revocation
- If compromised, certificate is revoked immediately
7. How Certificates Work in AWS Networking (Real AWS Flow)
Example architecture flow:
- Client sends HTTPS request
- Request hits:
- Application Load Balancer or CloudFront
- ACM certificate is attached to the service
- TLS handshake occurs:
- Server presents certificate
- Client verifies trust
- Encrypted communication starts
For internal systems:
- ACM PCA issues certificate to EC2 or container
- Microservices communicate using mutual TLS (mTLS)
8. Mutual TLS (mTLS) – Important Exam Topic
In advanced networking:
- Normal TLS = server authentication only
- mTLS = both server and client authentication
Used in:
- Microservices communication
- Zero-trust architectures
- Service mesh (e.g., AWS App Mesh)
ACM PCA is commonly used for mTLS.
9. Security Best Practices (Exam Points)
1. Use ACM for public-facing systems
- Websites
- APIs
- CloudFront
2. Use ACM PCA for internal systems
- Microservices
- Private APIs
- Hybrid networks
3. Automate renewal
- Avoid expired certificates causing downtime
4. Use IAM policies
- Restrict who can request/issue certificates
5. Monitor certificate expiry
- Use CloudWatch alarms
10. Common Exam Scenarios
Scenario 1
“You need HTTPS for a public website on ALB”
✔ Use ACM public certificate
Scenario 2
“You need secure communication between EC2 services inside VPC”
✔ Use ACM PCA private certificates + mTLS
Scenario 3
“You need SSL for CloudFront distribution”
✔ Use ACM certificate in us-east-1 region
Scenario 4
“You need certificate for on-prem server”
✔ Use ACM PCA (exportable private certificate)
11. Key Exam Takeaways (MEMORIZE)
- ACM = public SSL/TLS, easy, automatic, no private key access
- ACM PCA = private CA, full control, exportable certificates
- ACM is for external secure communication
- ACM PCA is for internal/hybrid secure communication
- Certificates enable encryption using TLS/SSL
- Used heavily in ALB, CloudFront, API Gateway, microservices
