Amazon AWS Certified Advanced Networking Specialty – Security & Compliance Part 2

4. Understanding AWS Certificate Manager

Hey everyone and welcome back. Now in today’s lecture, we are going to look into one of the new services call as a double certificate manager. Now, this is a very, very great feature which AWS has extended to the customers and it really makes life simple. So let’s look into the Use case which will help us understand how the AWS certificate manager helps the clients to have their life simple. Now, in the earlier approach, whenever a client, let’s assume that I have a website and I need to use Https. Now there are two ways in which I can use it. One is with the help of self signed certificate and second would be the CA certificate authority signed certificate. So if you’re using a self signed certificate, the browser will show you these error like a red that the site security certificate cannot be trusted. However, if you use a genuine CA signed certificate, then you will have a nice Https based browser URL that you will see. However, problem is the casino certificate are generally paid ones.

So let me show you the example. So I’m in the name comes, and here you see there are various SSL certificates that I can purchase. Now one of the certificates, you see, it starts with the basic Commodore Essential. It starts with $10 per year. So $9. 99 per year. However, if you go for the extended certificates, then you actually have to pay a much more larger amount. So if you go into the Komodo Essential SSL wildcard, so this is basically the wildcard certificates. It is actually $130 per year. So quite expensive. And specifically for a very new organization, or for the people who wants to have Https on their personal website or on their personal blog, they must pay for the SSL certificate in most of the Use cases. The second major problem is that it gets expired after one year. So after one year, if you do not renew your certificate, then you will have this red color mark on your website.

And this is a very, I would say, challenging thing because I have seen many of the big organizations, they have SSL certificates, genuine SSL certificate, but after one year, they forget to renew their SSL and the entire website breaks. So entire website gets these warning. And specifically when you talk about the clients like Android or iOS, these clients will not work if you have the certificate. They only work if you have the genuine certificates. So the entire website fails, or all the Android, the iOS, as well as the Windows application, they throw an error. So any user who are using those applications, the application will throw an error. And this is quite a pain because every one year, or maybe every five years, you have to renew the certificate. And if there are any vulnerabilities which are present, you again have to renew the certificate. So it’s quite a big pain.

And this is the reason why AWS actually decided to launch an AWS Certificate manager service. So if I just go to the certificate manager so this certificate manager is responsible for provisioning, managing and deploying the SSL TLS certificates. So if you’ll see over here in the first, you can provision the certificates. So you see, ACM manages the renewal of Ssltls certificates issued by the Amazon for you. So whenever you create or whenever you create your own certificate through authority like Commodore SSL, it’s quite pain because you have to do a lot of things like they’ll call you for validation. So there are lot of things involved. However, through ACM, life is much more simpler. We’ll see on when we deploy our search for certificate with the help of ACM. Along with that, whatever certificates that we get from the certificate managers, they are completely free. Like you do not really have to pay anything for the certificates which are launched to the AWS certificate managers.

So there are certain big advantages ACM and this is the reason why a lot of startups they are now moving to ACM, which makes their life simpler. So let’s do one thing, we’ll conclude the lecture for the time being and in the next lecture we’ll look into how we can provision our first certificate with the help of AWS certificate manager. Thanks for watching.

5. Provisioning first TLS certificate with ACM

Hey everyone and welcome back. So let’s do one thing in today’s lecture. We’ll be deploying our first SSL certificate with the help of the AWS certificate manager. So click on Get started. And the first thing that you need to do in ACM is that you have to put your domain name. Now, I have one funny domain name which I have registered and integrated it with the route 53. So I’ll copy this domain and I’ll just paste it over here. Perfect. And I’ll click on next. Now, there are two types of validation that you can use. One is the DNS validation and second is the email validation.

So I prefer DNS validation. So let’s go ahead with the DNS validation and I’ll click on Review and let me go ahead and click on Confirm and Request. Perfect. So now that the request is in progress, what it expects us to do is that it expects us to add a certain records within this specific domain. So I’ll just click on Export DNS configuration to a file and if I open up it with the Excel, there are certain records that it wants us to put. So let’s try this out, just maximize it so that it becomes much more clearer. Perfect. So let’s copy this first field.

I’ll copy it and I’ll go to my route 53. I’ll create a new record set with the type CNAME and I’ll just put the details which is expected. Perfect. So this is the first and the type is CNN and it needs a certain value. So I’ll copy this value up, I’ll paste it here and I’ll click on Create. Perfect. So now we have the CNAME which was asked for us is entered in our Route 53 record set. So we can go ahead and click on Continue. So it is on the pending validation side and it will take certain amount of time and after a few seconds, ten to 15 seconds, you see that your certificate was issued successfully. So if you see, this is one of the very easy approach in which you can have the domain name validation. Now, there is second approach that we have discussed based on the email validation that you can use.

6. Configuring ELB with HTTPS for SSL Offloading

Hey everyone and welcome back. Now, in the earlier lecture we were discussing on how we can create our own certificate with the help of AWS Certificate Manager service. Now, I am sure you must have noted that I had to stop that lecture abruptly. Actually some of the people had come to my house and this is the reason I had to stop. And I thought I will not just rerecord entire thing again because the main lecture was recorded. So actually this is the reason why I actually decide to record the lecture in the morning 03:00 to avoid all these disruptions. But it actually becomes quite difficult because it is winter in India and waking up at 03:00 is actually a big challenge anyway, so I’ll try to do that from tomorrow. Anyways, so coming back to the topic, since we have a domain Munu. com which is created, the certificate for this domain is created. What we’ll do is we’ll look into how we can have a website based on Https with the help of ACM. So in the ELB listeners part specifically for the Http and Https based listener, if you look into the second use case where website using ELP to offload the SSN decryption. So let me show you what I mean by this.

So if I just open the domain, umu. com, it is based on Http. Okay? And now what we want is we want this to be Https. And basically what we have is we have a load balancer and the traffic if you will see the record set of the mummu. com, it is actually pointing to the ELB DNS name and this is the ELB DNS name. So whenever I type this domain, the traffic goes to the ELB and ELB will forward the request to the back end EC two instance. Now, since I want an Https over here, we can try this out in ELB. So, one of the major advantages of AWS certificate Manager is that it supports ELB directly. So let’s do one thing, let’s go to listeners, I’ll click on edit, I’ll add a listener this time I’ll create a port of Https.

Now, whenever I create a port of Https, there are two options which are highlighted. One is the cipher and second is the SSL certificate. So you must put an SSL certificate when you want the ELB to offload the encryption and decryption related functionality. So if I click here on change I’ll choose the ACM. I can even upload my certificate and private key if I obtained it through a third party CA. However, I’ll just use ACM and it is asking me which certificate within the ACM I want to use. And since I only have one certificate, I’ll select it and I’ll click on save. So you see the SSL certificate part is automatically changed to using ACM and I’ll click on save. Perfect.

So now we have a new listener of based on Https. So now the elastic load balancer is listening on port four four three, and it is sending the traffic to the port 80. So let’s look into what I mean. So now what we have done is we have an ELB. We have a certificate in the ELB which is of ACM. So from the client to ELB, I have a secure connection. So you see, I have a secure connection from client to ELB. And from ALB to the back end instance, I again have a plain text Http connection. So let’s try this out. I’ll just copy the domain, I’ll put Https. Let’s try it out. Perfect.

Now, you see, you have a perfectly secure Http connection for this domain. And the certificate which is used here is the ACM certificate which got issued by the Amazon for free. So this is how you can actually use the ACM certificate for your website. So go ahead and try this out because this is quite interesting. And if you’re using production environments, I will hundred percent recommend you go ahead and use ACM because this will actually make your life much, much more simpler. So this is it about this lecture. I hope this has been informative for you and I look forward to seeing you in the next lecture.

• Category: Uncategorized