AWS Certificate Manager Private Certificate Authority

If you’re not already using ACM PCA, then you should be.

AWS has some of the best thought out and implemented cryptographic controls available. Leveraging ACM PCA will enable you to provision end to end TLS channels beyond the ELB (ALB and NLB). This is a managed service from AWS which works excellently, no more self management of certificates (think key management lifecycle processes, including rotation….), once it’s enabled the API’s provision the functionality to enable automation.

If your stuck deciding on whether to integrate it with your current PKI, stop thinking and break away from this! AWS is fully certified to FIPS 140-2 standards (and plenty of others) therefore you should be looking to leveraging it as the authoritative CA for everything you deploy into AWS in addition to KMS and ACM. Don’t confuse this with externally facing services such as web-services – use ACM for those public certificates or your preferred 3rd party CA (if you think your still stuck in legacy dinosaur land).

Ultimately the crypto in AWS is fully integrated with the rest of the AWS technology stacks which starts to obsolete the notion of running your own expensive PKI and management teams.

Keys are protected in an HSM’s owned and managed by Amazon. Here’s the actual device and specifications: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3009.pdf , NIST FIPS140-3 Validation:https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/3139 and certificate https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/FIPSConsolidatedCertFeb2018.pdf (3139 – AWS KMS HSM, the same device for ACM/PCA)