In January Amazon Web Services (AWS), the ecommerce giant’s cloud computing business, introduced AWS Certificate Manager (ACM). This move was a response to the fact that the SSL/TLS certificates often used with Amazon Web Services (AWS) to encrypt and secure transactions take a significant amount of time to provision, install, and manage, hindering the use of AWS cloud instances.
ACM reduces SSL/TLS certificate management complexity by issuing certificates directly through Amazon’s certificate authority (CA) and Amazon Trust Services (ATS). Offering this service is a big step for Amazon as it enters the CA business. It is currently only available in the US, but Amazon is moving towards offering the service globally.
ACM is great for businesses who want to quickly encrypt and secure transactions within Elastic Load Balancers (ELC) and/or CloudFront (CF) distributions, and best of all, any certificate issued by ACM is totally free, a trend that will become the norm as the industry moves towards encrypting 100% of all transaction and communication traffic.
Unlike generic CA’s, the goal of Amazon ACM isn’t to become a direct competitor of other CAs. It is not in the business of selling certificates. In this case, it is simply offering the ability to add a significant layer of security to AWS quickly and with minimal complexity. This is great for our cloud-enabled world and it’s likely that all CA’s will soon have to adopt the free certificate model and offer domain validated (DV) certificates for free.
Free encryption doesn’t secure your keys and certificates
When Amazon ACM issues certificates, the corresponding private keys are stored in the cloud. An organization takes a huge risk anytime it stores a private key anywhere other than on a hardware security module (HSM). This risk increases as the key is stored further and further from the organization’s premises, so having a private key in the cloud introduces all kinds of risks. By doing so, the organization trusts whoever issues and stores its private keys, to ensure that only your organization has access to it.
Securing keys in the cloud is exactly what malicious actors (i.e. hacktivists and disgruntled employees) hope an organization will do, because it makes the keys much easier to steal.
Once a key is compromised, a malicious actor gains the upper hand and can then sell it on the Darknet or use it to encrypt and hide their actions within the organization’s network.
The more free certificates are issued, the weaker the security of the internet becomes. As keys and certificates are compromised more frequently, malicious actors will increasingly use the security blind spots that trusted encryption provides, disguising their attacks.
Amazon ACM does not secure encryption nor increase the security posture of an organization
The benefit of reducing the complexity of encrypting Amazon AWS services is great, but it comes at the cost of security. All the keys and certificates issued by ACM are stored within the Amazon AWS cloud, which makes it easier to issue and manage certificates in the cloud, but as mentioned, this also introduces significant risk—a malicious actor only needs to access to an AWS environment.
Once they do so, they could proceed to issue their own keys and certificates. Falsified keys and certificates would give the malicious actors an encrypted channel where they could hide their activities.
The other major risk is that if the Amazon CA is compromised, there is no quick way to revoke compromised keys and certificates. (Amazon requires a service case be created.) Also there is no way to automate the failover to a secondary CA as recommended by NIST. In short, Amazon ACM does not provide any security for the keys and certificates it issues: it simply reduces the complexity of managing them.
The goal of Amazon ACM isn’t to secure certificates, nor is it to compete with existing CA’s. Amazon ACM simply wants to increase agility by making it easier to acquire and deploy encryption to the AWS cloud. Unfortunately, it also falls short when it comes to management.
For example, ACM doesn’t let its users have visibility over certificates issued by any other CA, nor is it, at the time of writing, compatible with any other service but AWS Elastic Load Balancing or Amazon CloudFront. Plus, it imposes substantial lifecycle restrictions; all certificates issued are valid for 13 months, while certificate renewal is done automatically with no controls or notifications.
Amazon even requires its users to open a service case should they wish to opt out. Worryingly, ACM users will have no ability to identify or register unknown certificates or create and enforce any certificate management policies.
With all keys and certificates stored in the AWS cloud, this provides malicious actors with a valuable opportunity. Yet we’re not saying that businesses shouldn’t use Amazon ACM; as businesses rely on AWS for fast, elastic IT cloud resources, it’s important that they be able to quickly encrypt and secure their transactions. Yet, they need to understand that using ACM alone doesn’t provide enough security for their keys and certificates, exposing them to the risk of key and certificate misuse for breach and compromise.
As certificate specialists have observed, it's just a matter of time before we see cybercriminals using these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data. Ultimately, while AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000.