I have some concerns about security and am wondering how AWS will store an SSL certificate deployed to an ELB. I have a wildcard SSL cert for my domain that I want to make sure doesn't persist anywhere where I don't know the steps taken to secure it.
I'm trying to set up a really simple image server on AWS that serves over HTTPS. What I've done is create an nginx server on a T2-micro that proxies to an S3 bucket with my images and put it behind an ELB. Where does that certificate ultimately persist if I put it on the ELB?
As a sidenote, does AWS actually support SSL offloading to the instance an ELB points to? I found hints this is possible in some documentation but couldn't find anything else past that hint.
Answer
Where does that certificate ultimately persist if I put it on the ELB?
The certificates are stored in IAM.
They should be as secure, there, as your account credentials are, so this seems like a misplaced concern, to me, once you have this information.
The ELB instances fetch the cert, chain, and private key from IAM whenever they start up or scale up.
Note, of course, that securing your "certificate" is a silly concept. Your certificate, and the chain, are public. They are dutifully handed over to ever web browser that makes a connection. That's how SSL works. The part that needs to be secured is, of course, the private key. Without that, your cert can't be abused.
And IAM secures this. So much so, that not even you can get it back once you've stored it.
If you decided, for whatever reason, that you wanted to fetch your cert and its private key from IAM... well, you can't.
You can list them, overwrite them, and delete them from the IAM database, but not even the account owner can retrieve then. They're secured.
Arguably, on your instances, the accompanying private key would be less secure... but...
You can let ELB balance TCP connections to instances that are handling SSL for themselves, by simply configuring the ELB listener in TCP mode, rather than HTTP.
Of course this puts more work on your instances, and it isn't called "offloading" -- the terminology is reversed -- this configuration would be "not offloading." Offloading would be the normal mode -- an ELB in SSL mode is doing SSL offloading for the instance -- handling SSL instead of the instances, themselves, handling their own SSL.
No comments:
Post a Comment