Slide 1

Slide 1 text

AAA: An ACME Agent for AWS 2016/01/22 @ HDE MTS #18 TANABE Ken-ichi

Slide 2

Slide 2 text

ACME Protocol and Let’s Encrypt Project

Slide 3

Slide 3 text

How ACME (Let’s Encrypt) works 1. Register your account 2. Present a possession of your domain 3. Request LE to issue a certificate 4. Download the certificate 5. Renew the certificate periodically within 90 days All things CAN be automated via RESTful API All things MUST be automated, or you will be stuck

Slide 4

Slide 4 text

Things we should resolve ● DNS integration ● Key store integration ● Automated renewal process integration ● ChatOps integration Answer: https://github.com/nabeken/aaa

Slide 5

Slide 5 text

AAA’s Goal (for fun): Fully utilize AWS ● Server-less architecture by AWS Lambda ● State-less architecture by AWS S3 ● Server-side-Encryption by AWS S3 SSE-KMS ● Server-less domain validation by AWS Route53 ● ChatOps integration by AWS API Gateway No server, No state, fully automated and Secure It’s super cool...

Slide 6

Slide 6 text

How AAA Works ● Core logic written in Go as CLI app ● CLI app does the tricks ● Lambda Function just wraps it ● Build as a single ZIP and ship it to 3 Lambda Functions

Slide 7

Slide 7 text

Let’s Encrypt opens the door… YESTERDAY!!!!

Slide 8

Slide 8 text

DEMO: If you see this, I failed to show you demo

Slide 9

Slide 9 text

One more thing…

Slide 10

Slide 10 text

AWS Certificate Management (ACM) released TODAY ● TODAY (OMG!!) ● Certificates issued by ACM are FREE ● Integrated with ELB and CloudFront (for now) ● Only available for us-east-1 for now

Slide 11

Slide 11 text

Quick comparision: Let’s Encrypt vs ACM Let’s Encrypt ACM Pricing FREE FREE Application No limitation ELB and CloudFront Type DV certificate DV certificate Period 3 months 13 months Wildcard certificate Not Available Available Multiple domains (SAN) Available Available Validation methods HTTP, DNS Email Certificate algorithm RSA 2048, 4096 bits ECDSA (P-256, …?) RSA 2048 bits