Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are Amazon certificate authority services trustworthy?

AWS now operates as its own CA. What are the potential risks of the new Amazon certificate authority services? Expert Dave Shackleford outlines the pros and cons of this new setup.

Many of today's most prevalent internet-based services rely on consumer and business trust inherently. Individuals...

need to trust the e-commerce sites they purchase from, organizations need to validate and trust the partners and services they rely on, and everyone needs a way to verify that the trust they're presented with is verifiable in some generally accepted way.

Today, the underpinning of most trust on the internet happens via cryptographic methods, primarily provided by Secure Sockets Layer (SSL) and its replacement, Transport Layer Security (TLS).

In 2016, AWS started AWS Certificate Manager and Amazon Trust Services to use and manage certificates through Amazon. AWS is now in the process of moving certificates for its internal services -- such as Amazon Elastic Cloud Compute and Amazon DynamoDB -- to Amazon Trust Services.

In the past several years, faith in SSL/TLS has diminished significantly. Many of the most well-known cryptographic ciphers used to do SSL/TLS handshakes have proven mathematically weak, all the current versions of SSL are considered unsafe, and the vast majority of SSL/TLS implementations rely on open source software that has been soundly and repeatedly compromised. To top it all off, some of the world's certificate authorities (CAs) -- the organizations charged with providing the highest level of confidence in the SSL/TLS trust hierarchy -- have been shown to be less than fully trustworthy.

With its recent shift to Amazon Trust Services, AWS has become its own certificate authority. What this means is that a significant portion of the infrastructure that tenants are using is protected by Amazon, and only Amazon, with no other vetted parties in the trust hierarchy. This raises a big -- and obvious -- question: Is this new Amazon certificate authority system a good thing or a bad thing?

The pros and cons of the Amazon certificate authority

What the failure of SSL and the use of cryptographic certificates represent is nothing short of a total breakdown in internet trust and identity validation -- who is communicating with whom? Is the site I'm communicating with actually trusted and validated by a trusted provider? Can I trust what my browser is showing me?

In the case of AWS, users will have to place their trust entirely in Amazon for all the services it provides. This includes the main web sign-in page and all the services on the back end. The possible threat scenarios are the same as those for any CA or public key infrastructure deployment.

A compromise of Amazon's CA could easily lead to a complete trust breakdown across all AWS services.

Weak cipher suites used for certificates could potentially lead to cryptographic vulnerabilities that attackers could exploit. A compromise of Amazon's CA could easily lead to a complete trust breakdown across all AWS services. Exposure of customer secrets, such as keys or passwords, or man-in-the-middle attacks could happen in either of these cases.

For many customers, the biggest challenge with the Amazon certificate authority will be the lack of visibility into Amazon's PKI controls and components. For example, what software does Amazon use for its CA services? If it is homegrown -- which is likely -- are open source tools and libraries involved, and how are they vetted? What independent auditing will be done on the Amazon CA system to reassure customers that some degree of independent oversight is present?

On the flip side, there's a very good chance that AWS will actually be more secure by handling its own certificates. While there are definitely risks, AWS has a good track record in security so far, and there's no reason to expect that to change with full control of the CA trust hierarchy within its service model. In fact, it's likely that it'll do a better job than many of the other CAs we've seen over the years.

Customers should, as always, ask for as much detail about the Amazon certificate authority services as AWS will provide, and push for ISO 27001 and other audits that can provide third-party assurance of valid controls.

This was last published in May 2018

Dig Deeper on Evaluating Cloud Computing Providers

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about Amazon's CA system?
Cancel
Wong information TLS 1.2 and 1.3 are the current safe standard and will be safe for years.  You should not be using and SSL protocol, they should be disabled.
TLS 1.0 and 1.1 are OK but it is better to upgrade before the call to refuse such communication.

I'd trust AWS over most other CA's because AWS engineering is solid while most CAs got their position through politics and connections and are just interested in milking the cow and not in security.
Cancel
Most of the hacks on my website are initiated through AWS servers from Seattle, Portland, and Virginia. I tracked on persistent hacker who resides in Islamabad, Pakistan, and proudly uses U.S. Amazon servers and has U.S. based websites hosted by GoDaddy in Phoenix and Bluehost in Provo, UT. This individual has SSL certificates from all of these hosts. 
Anything for a buck. None of these companies will take my complaints without solid proof. How about some self monitoring? You are all traitors in my opinion.
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

Close