2.2.2 Certificate Management
Certificate Management
AWS Certificate Manager (ACM)
| Feature | Mô tả |
|---|
| Public certificates | Free SSL/TLS certificates cho AWS services |
| Private certificates | ACM Private CA ($400/month) |
| Auto-renewal | Tự động renew trước khi expire |
| Validation | DNS validation (recommended) hoặc Email validation |
Supported Services
| Service | ACM Support |
|---|
| CloudFront | ✅ (us-east-1 only) |
| ALB / NLB | ✅ |
| API Gateway | ✅ (custom domain) |
| Elastic Beanstalk | ✅ (via ALB) |
| EC2 | ❌ (dùng self-managed) |
DNS Validation vs Email Validation
| DNS Validation | Email Validation |
|---|
| Method | Add CNAME record to DNS | Respond to email |
| Auto-renewal | ✅ | ❌ (manual) |
| Recommended | ✅ | ❌ |
| Works with | Route 53, any DNS | Domain owner email |
Custom Domain cho API Gateway
1. Request certificate trong ACM (same region hoặc us-east-1 cho edge)
2. Create custom domain name trong API Gateway
3. Map API stage to custom domain
4. Create Route 53 alias record → API Gateway domain
Exam Tip: ACM public certificates = free. DNS validation = auto-renewal. CloudFront certificates phải ở us-east-1. EC2 không dùng ACM trực tiếp.