Search code examples
amazon-web-servicessslcertificatecontainersamazon-ecs

AWS ECS get public certificates for internal backend communication

Consider following scenario: Some container running in the backend, e.g. on AWS Fargate or ECS, and the communication between the container and the communication to other backend componets (e.g. AWS API Gateway) should be TLS encrypted. Since not all compontents accept self signed certificates (e.g. AWS API Gateway), public certificates should be used for the container.

What is the best way to obtain public certificates for such internal backend communications use cases in terms of costs and validity time (one year or longer).

As far as I know, AWS issued certificates do not work because these certificates can only be used on load balancer or API GW, but not in container running on ECS/Fargate.

Solution

  • You're correct that a public ACM SSL can only be attached to one of the following:

    • CloudFront
    • Application Load Balancer
    • Network Load Balancer (With a TLS Listener)
    • API Gateway

    Outside of these resources you have a few options available to you:

    • Using certbot to generate a free SSL, there's even an official Docker image.
    • Paying for your own certificate that you package within your Docker image.
    • Use the paid private CA registry feature of ACM.