SSL/TLS certificates are often used with Amazon Web Services (AWS) to encrypt and secure transactions. However, the time it takes to provision, install, and manage SSL/TLS certificates can hinder the use of AWS cloud instances. To help speed this process, last week AWS introduced AWS Certificate Manager (ACM).
ACM reduces SSL/TLS certificate management complexity by issuing certificates directly through Amazon’s certificate authority (CA) and Amazon Trust Services (ATS). Offering this service is a big step for Amazon as it enters the CA business. It is currently only available in the U.S. East region, but Amazon is moving towards offering the service globally.
ACM is great for businesses who want to quickly encrypt and secure transactions within Elastic Load Balancers (ELC) and/or CloudFront (CF) distributions.
The best news of all is that any certificate issued by ACM is totally free, a trend that will become the norm as the industry moves towards encrypting 100% of all transaction and communication traffic.
Unlike generic CA’s, the goal of Amazon ACM isn’t to become a direct competitor of other CAs. They are not in the business of selling certificates nor do I believe they will be. In this case, they are simply offering the ability to add a significant layer of security to AWS quickly and with minimal complexity. This is great for our cloud-enabled world and I strongly believe all CA’s will soon have to adopt the free certificate model and offer domain validated (DV) certificates for free.
Free encryption doesn’t secure your keys and certificates
When Amazon ACM issues certificates, the corresponding private keys are stored in the cloud. But I have a real issue with storing any private keys in the cloud let alone on a hard drive. An organization takes a huge risk anytime they store a private key anywhere other than on a hardware security module (HSM). This risk increases as the key is stored farther and farther from your premises, so having a private key in the cloud introduces all kinds of risks. You are trusting whomever issues and stores your private key to ensure that only your organization has access to it.
Securing keys in the cloud is exactly what malicious actors (i.e. hacktivists and disgruntled employees) hope an organization will do because that makes the keys much easier to steal.
Once a key is compromised, a malicious actor gains the upper hand and can then sell it on the Darknet or leverage it to encrypt and hide their actions within the organization’s network. The more free certificates are issued, the weaker the security of the Internet becomes. As keys and certificates are compromised more frequently, malicious actors will increasingly leverage the security blind spots that trusted encryption provides, disguising their attacks.
Amazon ACM does not secure encryption nor increase the security posture of an organization
The benefit of reducing the complexity of encrypting Amazon AWS services is great, but it comes at the cost of security. All the keys and certificates issued by ACM are stored within the Amazon AWS cloud, which makes it easier to issue and manage certificates in the cloud, but as mentioned, this also introduces significant risk—a malicious actor only needs to access to the AWS environment.
Once malicious actors gain access to an AWS environment, they could proceed to issue their own keys and certificates. Falsified keys and certificates would give the malicious actors an encrypted channel where they could hide their activities.
The other major risk is that, if the Amazon CA is compromised, there is no quick way to revoke compromised keys and certificates. (Amazon requires a service case be created.) Also there is no way to automate the failover to a secondary CA as recommended by NIST.
In short, Amazon ACM does not provide any security for the keys and certificates they issue: they simply reduce the complexity of managing them.
The goal of Amazon ACM isn’t to secure certificates, nor is it to compete with existing CA’s. Amazon ACM simply wants to increase agility by making it easier to acquire and deploy encryption to the AWS cloud. Unfortunately, they also fall short when it comes to management.
Here is a list of some current ACM limitations:
Only Amazon Environment
- Management and visibility limited to only Amazon issued certificates
- Limited to those using AWS Elastic Load Balancing or Amazon CloudFront*
- Cannot issue nor manage certificates outside the Amazon cloud
Restrictions on Key and Certificate Types
- Can only issue Domain Validated (DV) certificates*
- No support for Organizational Validation (OV) or Extended Validation (EV) certificates*
- No support for securing nor managing SSH keys
- No ability to manage mobile, email, or IoT keys and certificates
Lifecycle Restrictions
- All certificates issued are valid for 13 months
- Certificate renewal is done automatically with no controls or notifications
- Revocation requires a service case be opened
Management Limitations that Impact Security
- No ability to discover and inventory unknown certificates
- Lacks ability to create and enforce certificate policies
- Audit logs are tracked in Amazon CloudTrail, not within ACM
- Keys and Certificates are stored in the cloud
*Amazon is expanding support for other AWS services and for other types of domain validation
But I’m not suggesting that businesses shouldn’t use Amazon ACM. As businesses rely on AWS for fast, elastic IT cloud resources, it’s important that they be able to quickly encrypt and secure their transactions. Yet, they need to understand that using ACM alone doesn’t provide enough security for their keys and certificates, exposing them to the risk of key and certificate misuse for breach and compromise.
As Kevin Bocek, the VP of Security Strategy & Threat Intelligence here at Venafi, is quoted in a SecurityWeek article on AWS Certificate Management, “Mark my words: it's just a matter of time before we see cybercriminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data.”
Kevin also notes in the article, “While AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000.”
Looking for true enterprise-class key and certificate security? We can help. Venafi provides a CA-agnostic key and certificate solution that can secure your ACM certificates along with the other keys and certificates in your network.