AWS recently launched the AWS Private Certificate Authority (CA) Connector for Active Directory (AD). It is a new feature that allows enterprises to use AWS Private CA as a drop-in replacement for self-managed enterprise certificate authorities without the need to deploy, patch, or update local agents or proxy servers.
AWS Private Certificate Authority (AWS Private CA) is a fully-managed, highly available CA that helps organizations secure their applications and devices using private certificates. In an AWS for Industries blog post, the authors explain:
With AWS Private CA, enterprise customers can build a PKI inside the AWS cloud for private use within an organization. AWS manages the undifferentiated heavy lifting of creating, managing, and securing CAs. With AWS Private CA, you can create your own CA hierarchy and issue certificates for authenticating internal users, computers, applications, services, servers, devices and signing computer codes.
AWS Private CA Diagram (Source: AWS Private CA Service)
The service now includes a Connector for AD pre-announced during the recent re:inforce 2023, allowing customers to replace on-premises enterprise or other third-party CAs with a managed private CA, providing certificate enrollment to users, groups, and machines managed by their AD.
In an AWS Security blog post on the key announcements and session highlights, the authors wrote:
AWS Private CA will soon launch a Connector for Active Directory (AD). The Connector for AD will help to reduce upfront public key infrastructure (PKI) investment and ongoing maintenance costs with a fully-managed serverless solution. This new feature will help reduce PKI complexity by replacing on-premises certificate authorities with a highly secure hardware security module (HSM)-backed AWS Private CA. You will be able to automatically deploy certificates using auto-enrollment to on-premises AD and AWS Directory Service for Microsoft Active Directory.
The first step is for users to create a connector through the console, command line (create-connector command), or API for AWS Private CA Connector for Active Directory (CreateConnector action). The request syntax for creating a connector using the API looks like:
POST /connectors HTTP/1.1
Content-type: application/json
{
"CertificateAuthorityArn": "string",
"ClientToken": "string",
"DirectoryId": "string",
"Tags": {
"string" : "string"
},
"VpcInformation": {
"SecurityGroupIds": [ "string" ]
}
}
Subsequently, users can follow other procedures, such as configuring templates and integrating with AWS Private CA and Active Directory.
When asked by InfoQ the benefits of the AD Connector, here is what Ken Beer, a general manager of Key Management Service at AWS, had to say:
AWS Private Certificate Authority (CA) Connector for Active Directory (AD) streamlines how customers manage Windows environments to cut private CA costs, reduce complexity, and secure private keys with hardware security modules. Customers can even pair the new feature with AWS Managed Microsoft AD to reduce their on-premises infrastructure dependencies and migrate AD and public key infrastructure to the cloud.
In addition, João Rodolfo Vieira da Silva, a Cyber Security Specialist at Banco Itaú, commented on a LinkedIn post on the AD Connector from AWS private CA general manager Todd Cignetti:
It's opening up huge opportunities for the corporations. Keep it simple and easy for us!
Lastly, the Connector for AD is offered as a feature of AWS Private CA at no additional cost - customers only pay for the private certificate authorities and the certificates they issue through them. The pricing details for AWS Private CA are available on the pricing page.