AWS acm documentation change
Summary
Added documentation for HTTP validation method and expanded PKI section with details about certificate lifecycle and security implications
Security assessment
The changes add documentation about HTTP-based domain validation and PKI implementation, which are security features for certificate management. However, there is no evidence of addressing a specific security vulnerability.
Diff
diff --git a/acm/latest/userguide/acm-concepts.md b/acm/latest/userguide/acm-concepts.md index d44ae70d1..9f91cb83d 100644 --- a//acm/latest/userguide/acm-concepts.md +++ b//acm/latest/userguide/acm-concepts.md @@ -5 +5 @@ -ACM CertificateACM Root CAsApex DomainAsymmetric Key CryptographyCertificate AuthorityCertificate Transparency LoggingDomain Name SystemDomain NamesEncryption and DecryptionFully Qualified Domain Name (FQDN)Public Key InfrastructureRoot CertificateSecure Sockets Layer (SSL)Secure HTTPSSSL Server CertificatesSymmetric Key CryptographyTransport Layer Security (TLS)Trust +ACM CertificateACM Root CAsApex DomainAsymmetric Key CryptographyCertificate AuthorityCertificate Transparency LoggingDomain Name SystemDomain NamesEncryption and DecryptionFully Qualified Domain Name (FQDN)Hypertext Transfer Protocol (HTTP)Public Key Infrastructure (PKI)Root CertificateSecure Sockets Layer (SSL)Secure HTTPSSSL Server CertificatesSymmetric Key CryptographyTransport Layer Security (TLS)Trust @@ -33 +33,3 @@ This section provides definitions of concepts used by AWS Certificate Manager. - * Public Key Infrastructure + * Hypertext Transfer Protocol (HTTP) + + * Public Key Infrastructure (PKI) @@ -242 +244,15 @@ See Domain Names. -## Public Key Infrastructure +## Hypertext Transfer Protocol (HTTP) + +The Hypertext Transfer Protocol (HTTP) is the foundation of data communication on the World Wide Web. It's an application-layer protocol that enables the exchange of various content types. HTTP operates on a client-server model, where web browsers typically act as clients requesting resources from web servers. As a stateless protocol, HTTP treats each request independently, without retaining information from previous requests. + +In the context of ACM, HTTP can be used for domain validation when issuing SSL/TLS certificates. This process involves ACM sending specific HTTP requests to verify domain ownership. The server's ability to respond correctly to these requests demonstrates control over the domain. + +Unlike email or DNS-validated certificates, ACM customers can't issue HTTP-validated certificates directly from ACM. Instead, these certificates are automatically issued and managed as part of the CloudFront provisioning process. Customers can use ACM to view, monitor, and manage these certificates, but the initial issuance is handled by the integration between ACM and CloudFront. + +While HTTP is widely used, it's important to note that it transmits data in plain text. For secure communication, HTTPS (HTTP Secure) is used, which encrypts the data using SSL/TLS protocols. For more information on secure communications, see Secure HTTPS. + +## Public Key Infrastructure (PKI) + +Public Key Infrastructure (PKI) is a system of processes, technologies, and policies that enables secure communication over public networks. In the context of ACM, PKI plays a crucial role in the issuance, management, and validation of digital certificates. PKI uses a pair of cryptographic keys: a public key that is freely distributed, and a private key that is kept secret by the owner. This system allows for secure data transmission, digital signatures, and authentication of digital entities. + +ACM implements several key components of PKI. It acts as a Certificate Authority (CA), a trusted third party that issues digital certificates, binding public keys to entities such as domains or organizations. ACM issues X.509 certificates, which contain information about the entity, its public key, and the certificate's validity period. It also handles the complete lifecycle of certificates, including issuance, renewal, and revocation. To ensure the legitimacy of certificate requests, ACM supports various methods to validate domain ownership, such as DNS validation and HTTP validation. @@ -244 +260 @@ See Domain Names. -A public key infrastructure (PKI) consists of hardware, software, people, policies, documents, and procedures that are needed to create, issue, manage, distribute, use, store, and revoke digital certificates. PKI facilitates the secure transfer of information across computer networks. +By leveraging PKI, ACM enables secure HTTPS connections, digital signatures, and encrypted communication for AWS resources and applications. This infrastructure is essential for maintaining the confidentiality, integrity, and authenticity of data transmitted over the internet. For more information on how ACM implements PKI, see [AWS Certificate Manager certificates](./gs.html).