Security News
JavaScript Leaders Demand Oracle Release the JavaScript Trademark
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
@aws-cdk/aws-certificatemanager
Advanced tools
The CDK Construct Library for AWS::CertificateManager
@aws-cdk/aws-certificatemanager is an AWS CDK library that allows you to manage AWS Certificate Manager (ACM) certificates. It provides constructs for creating and managing SSL/TLS certificates for use with AWS services and your own applications.
Create a Certificate
This feature allows you to create an SSL/TLS certificate for a specified domain name. The certificate is validated using DNS validation.
const cdk = require('aws-cdk-lib');
const certificatemanager = require('@aws-cdk/aws-certificatemanager');
const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');
const certificate = new certificatemanager.Certificate(stack, 'MyCertificate', {
domainName: 'example.com',
validation: certificatemanager.CertificateValidation.fromDns(),
});
app.synth();
Import an Existing Certificate
This feature allows you to import an existing ACM certificate using its ARN. This is useful if you want to use a certificate that was created outside of your CDK application.
const cdk = require('aws-cdk-lib');
const certificatemanager = require('@aws-cdk/aws-certificatemanager');
const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');
const certificateArn = 'arn:aws:acm:region:account-id:certificate/certificate-id';
const certificate = certificatemanager.Certificate.fromCertificateArn(stack, 'ImportedCertificate', certificateArn);
app.synth();
Create a Certificate with Email Validation
This feature allows you to create an SSL/TLS certificate for a specified domain name with email validation. ACM will send validation emails to the domain's registered email addresses.
const cdk = require('aws-cdk-lib');
const certificatemanager = require('@aws-cdk/aws-certificatemanager');
const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');
const certificate = new certificatemanager.Certificate(stack, 'MyCertificate', {
domainName: 'example.com',
validation: certificatemanager.CertificateValidation.fromEmail(),
});
app.synth();
The aws-sdk package is the official AWS SDK for JavaScript. It provides a comprehensive set of tools for interacting with AWS services, including AWS Certificate Manager. While it offers more granular control over AWS services, it lacks the higher-level abstractions provided by the AWS CDK.
The serverless package is a framework for building and deploying serverless applications on AWS and other cloud providers. It includes plugins for managing ACM certificates, but it is more focused on serverless architecture and less on infrastructure as code compared to the AWS CDK.
Terraform is an open-source infrastructure as code software tool created by HashiCorp. It allows users to define and provision data center infrastructure using a high-level configuration language. Terraform has a provider for AWS that includes resources for managing ACM certificates, but it uses a different syntax and workflow compared to the AWS CDK.
AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. ACM certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these. ACM wildcard certificates can protect an unlimited number of subdomains.
This package provides Constructs for provisioning and referencing ACM certificates which can be used with CloudFront and ELB.
After requesting a certificate, you will need to prove that you own the domain in question before the certificate will be granted. The CloudFormation deployment will wait until this verification process has been completed.
Because of this wait time, when using manual validation methods, it's better to provision your certificates either in a separate stack from your main service, or provision them manually and import them into your CDK application.
Note: There is a limit on total number of ACM certificates that can be requested on an account and region within a year. The default limit is 2000, but this limit may be (much) lower on new AWS accounts. See https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html for more information.
DNS validation is the preferred method to validate domain ownership, as it has a number of advantages over email validation. See also Validate with DNS in the AWS Certificate Manager User Guide.
If Amazon Route 53 is your DNS provider for the requested domain, the DNS record can be created automatically:
const myHostedZone = new route53.HostedZone(this, 'HostedZone', {
zoneName: 'example.com',
});
new acm.Certificate(this, 'Certificate', {
domainName: 'hello.example.com',
validation: acm.CertificateValidation.fromDns(myHostedZone),
});
If Route 53 is not your DNS provider, the DNS records must be added manually and the stack will not complete creating until the records are added.
new acm.Certificate(this, 'Certificate', {
domainName: 'hello.example.com',
validation: acm.CertificateValidation.fromDns(), // Records must be added manually
});
When working with multiple domains, use the CertificateValidation.fromDnsMultiZone()
:
const exampleCom = new route53.HostedZone(this, 'ExampleCom', {
zoneName: 'example.com',
});
const exampleNet = new route53.HostedZone(this, 'ExampleNet', {
zoneName: 'example.net',
});
const cert = new acm.Certificate(this, 'Certificate', {
domainName: 'test.example.com',
subjectAlternativeNames: ['cool.example.com', 'test.example.net'],
validation: acm.CertificateValidation.fromDnsMultiZone({
'test.example.com': exampleCom,
'cool.example.com': exampleCom,
'test.example.net': exampleNet,
}),
});
Email-validated certificates (the default) are validated by receiving an email on one of a number of predefined domains and following the instructions in the email.
See Validate with Email in the AWS Certificate Manager User Guide.
new acm.Certificate(this, 'Certificate', {
domainName: 'hello.example.com',
validation: acm.CertificateValidation.fromEmail(), // Optional, this is the default
});
ACM certificates that are used with CloudFront -- or higher-level constructs which rely on CloudFront -- must be in the us-east-1
region.
The DnsValidatedCertificate
construct exists to facilitate creating these certificates cross-region. This resource can only be used with
Route53-based DNS validation.
declare const myHostedZone: route53.HostedZone;
new acm.DnsValidatedCertificate(this, 'CrossRegionCertificate', {
domainName: 'hello.example.com',
hostedZone: myHostedZone,
region: 'us-east-1',
});
AWS Certificate Manager can create private certificates issued by Private Certificate Authority (PCA). Validation of private certificates is not necessary.
import * as acmpca from '@aws-cdk/aws-acmpca';
new acm.PrivateCertificate(this, 'PrivateCertificate', {
domainName: 'test.example.com',
subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional
certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA',
'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
});
If you want to import an existing certificate, you can do so from its ARN:
const arn = 'arn:aws:...';
const certificate = acm.Certificate.fromCertificateArn(this, 'Certificate', arn);
To share the certificate between stacks in the same CDK application, simply
pass the Certificate
object between the stacks.
The DaysToExpiry
metric is available via the metricDaysToExpiry
method for
all certificates. This metric is emitted by AWS Certificates Manager once per
day until the certificate has effectively expired.
An alarm can be created to determine whether a certificate is soon due for renewal ussing the following code:
import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
declare const myHostedZone: route53.HostedZone;
const certificate = new acm.Certificate(this, 'Certificate', {
domainName: 'hello.example.com',
validation: acm.CertificateValidation.fromDns(myHostedZone),
});
certificate.metricDaysToExpiry().createAlarm(this, 'Alarm', {
comparisonOperator: cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD,
evaluationPeriods: 1,
threshold: 45, // Automatic rotation happens between 60 and 45 days before expiry
});
FAQs
The CDK Construct Library for AWS::CertificateManager
The npm package @aws-cdk/aws-certificatemanager receives a total of 109,002 weekly downloads. As such, @aws-cdk/aws-certificatemanager popularity was classified as popular.
We found that @aws-cdk/aws-certificatemanager demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In an open letter, JavaScript community leaders urge Oracle to give up the JavaScript trademark, arguing that it has been effectively abandoned through nonuse.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
Security News
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.