Question: i can't register certs through ACM, but would ACM allow me to upload certs to it?

Asked By
diazswag209
Asked At
2018-05-07 23:19:09

Found 15 possible answers.

User Answered At Possible Answer
nick.lemouton 2018-05-07 23:19:13 if it's a mix then you can use config management (Puppet, Chef etc)
diazswag209 2018-05-07 23:19:36 how to do it through chef securely? right now i have chef downloading from an s3 bucket
nick.lemouton 2018-05-07 23:19:46 no idea, in Puppet we use eyaml for certs
coderanger 2018-05-07 23:19:51 You don't upload to ACM, it creates them for you
nick.lemouton 2018-05-07 23:19:53 so the keys are encrypted
diazswag209 2018-05-07 23:20:04 @coderanger we have a third party cert creator, so its not through ACM
coderanger 2018-05-07 23:20:06 @nick.lemouton That is really not a good idea >_, Or at least you better _seriously_ trust your puppetmaster
diazswag209 2018-05-07 23:20:37 @nick.lemouton i think a next level up would be to secure your EC2 instances using an IAM role, and giving that IAM role just enough access to download s3 certs
nick.lemouton 2018-05-07 23:20:44 we do, it would be a bit hard if you didn't trust your puppetmaster
coderanger 2018-05-07 23:21:06 @diazswag209 Better is to use SSM ParamStore rather than S3 It was built for this
diazswag209 2018-05-07 23:21:28 @coderanger interesting, i'll have to read up on it... because with s3, IAM roles is fine, but once someone gets into the server, they can download the ssl cert from s3
coderanger 2018-05-07 23:21:51 @nick.lemouton eyaml is a cute hack but not a very good isolation mechanism :slightly_smiling_face:
diazswag209 2018-05-07 23:22:09 @coderanger how is SSM ParamStore better?
coderanger 2018-05-07 23:22:31 @diazswag209 Better integration with KMS for at-rest encryption, more flexible policy conditions
nick.lemouton 2018-05-07 23:22:31 it's better than storing them in the clear, but yes, it's not secure secure we should probably be using Vault or some other secret management

Related Questions