Share your ACM Private CA cross-account

 
 

A few weeks ago aws launched a new feature to share a Private CA with any AWS account or within your organization. This feature helps you to save costs because you just need to deploy one CA per organization. Since the one Private CA costs $400 per month this is a huge saving. Additionally this feature helps you secure certificates because each account the Private CA is shared with creates it's own certificate and remains in full control of said certificate. The key "lives" in the certificate-creation-account and is fully protected there. In this post I will show you how to automate the sharing of the Private CA plus how to use it in the shared accounts.

Architecture

Shared - private CA via AWS RAM
Shared - private CA via AWS RAM

❗️ The shared ACM-PCA is also working for Amazon Managed Streaming for Apache Kafka (Amazon MSK) - but only via API - the shared ACM-PCA is not shown in the AWS Console.

Prerequisites

  1. ACM-PCA must be deployed
  2. All Features of your AWS Organizations must be enabled
  3. RAM sharing within your AWS Organization must be enabled
    How to enable this:

    1. Log in to the Organization Master Account with a role or user with permissions to perform ACM and AWS RAM operations in both the central and shared accounts.
    2. Navigate to the AWS Resource Access Manager service.
    3. Click on Settings on the left menu option.
    4. Enable the feature by checking the Enable sharing within your AWS Organization option.

Deployment of the RAM resource in the central AWS Account

  1. Log in to the MPA and switch to the account where the ACM-PCA is deployed.
  2. Switch to the Region (e.g.: eu-central-1)
  3. Open the CloudFormation service console
  4. Select Create Stack - Upload a template file; Click Choose file and pick the following file: 001-aws-shared_acm-pca.json
  5. Click Next; Enter the following parameters:
Key Value
AWSOrganizationId eg: o-xyz123
OrganizationMasterAccountId Account Id of the Organization Master Account
AcmPcaArn arn of the Private ACM you want to share

  1. Click Next; Check: "I acknowledge that AWS CloudFormation might create IAM resources." and Submit

⚠️ Side note: If you are sharing a resource using RAM with the whole Organization you don't need to accept the invation in the target Account.

How to request a new certificate from the shared private CA using console

  1. Log in to an Organization account where the ACM-PCA is being shared with and go to the Certificate Manager console
  2. Choose Request a certificate.
  3. Select the option Request a private certificate, then choose Request a certificate.
  4. For CA, select Shared-Private-CA, and then click Next.
  5. For Add domain names, add the domain www.privatedomain.com , and click Next.
  6. Choose Review and request, confirm it and then click Confirm and request.
  7. You can now see your new ACM certificate, issued by the Shared-Private-CA in your account.

How to request a new certificate from the shared private CA using cli

  1. Request certificate
aws acm request-certificate –-domain-name www.privatedomain.com --certificate-authority-arn arn:aws:acm-pca:region:111122223333:certificate-authority/123456-xyz123 --validation-method DNS


      

CloudFormation Best Practices

Recommendations that can help you to use CloudFormation more effectively and securely throughout its entire workflow.

 

Oct 20th 2020

 

David Krohn

App Mesh and ECS with shared Meshes

Step by Step Tutorial on how to use App Mesh on ECS with cross account ressource sharing (shared meshes)

 

Jul 25th 2020

 

Yassine Berrada Touati

SCP Best Practices

How to use service control policies to secure resources and avoid unnecessary costs across accounts in your AWS Organization

 

Jul 20th 2020

 

David Krohn