2.2.5 Generate Certificates and SSH Keys
Generate Certificates and SSH Keys
ACM — Generate/Request Certificates
# Request public certificate via CLI
aws acm request-certificate \
--domain-name example.com \
--subject-alternative-names "*.example.com" \
--validation-method DNS
- Public certificates: Free, auto-renewed
- Private certificates: ACM Private CA
- Wildcard:
*.example.com covers all subdomains
EC2 Key Pairs (SSH)
| Type | Mô tả |
|---|
| RSA | Default, widely supported |
| ED25519 | Newer, more secure, smaller key |
# Create key pair
aws ec2 create-key-pair \
--key-name my-key \
--key-type ed25519 \
--query 'KeyMaterial' \
--output text > my-key.pem
# Set permissions
chmod 400 my-key.pem
- Private key: Download 1 lần duy nhất khi tạo
- Public key: AWS lưu trữ, inject vào EC2 instance
- Mất private key → không recover được → tạo key mới
Systems Manager Session Manager (Alternative to SSH)
| Feature | SSH | Session Manager |
|---|
| Port 22 | Required | ❌ Not needed |
| Key management | Manual | ❌ Not needed |
| Bastion host | Often needed | ❌ Not needed |
| Audit | Manual | ✅ CloudTrail + S3 logs |
| IAM integration | ❌ | ✅ |
- Recommended over SSH cho production
- No inbound ports, no SSH keys, no bastion hosts
Secrets Manager — Generate Passwords
import boto3
sm = boto3.client('secretsmanager')
# Generate random password
response = sm.get_random_password(
PasswordLength=32,
ExcludeCharacters='/@"',
RequireEachIncludedType=True
)
password = response['RandomPassword']
Exam Tip: ACM cho SSL/TLS certificates (free public). Session Manager > SSH (no ports, no keys, audit trail). EC2 key pairs: private key chỉ download 1 lần.