Amazon Trust Services

Amazon Trust Services is a certificate authority created and operated by Amazon Web Services. Amazon Trust Services works with the AWS Certificate Manager service to simplify certificate management and ensure secure communication between a client and a server.

The AWS Certificate Manager can help an IT team overcome the complex, error-prone manual tasks involved with creating Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates; it enables an administrator to provision, deploy and automatically renew certificates. A user can request a new certificate and deploy it to other Amazon services, including Elastic load balancing and Amazon CloudFront.

While Amazon Trust Services provides free certificates that AWS users sign, an IT team must still obtain and pay for certificates. In addition, an IT pro can upload a non-Amazon Trust Services certificate to the AWS Certificate Manager.

Amazon Trusted Services: A certificate authority

Consumers and businesses need a way to securely exchange data while staying ahead of bad actors. A digital certificate (or public key certificate) is like a password that enables secure data exchanges using the public key infrastructure (PKI). Digital certificates are commonly used for initializing SSL connections between web browsers and servers, and to authenticate digital signatures.

TLS handshake
TLS establishes an encrypted and secure connection to ensure authenticity using a client-server handshake mechanism.

In simple terms, digital certificates help protect information online, encrypt digital transactions, and enable secure multiparty communication.

A certificate authority (CA) is a trusted organization that verifies the identities of websites, devices and people to ensure secure communications and trusted transactions. They do this by issuing digital certificates.

SSL and TLS certificates are critical for encrypting web traffic, and for ensuring safe data exchange and transactions on banking, e-commerce or other kinds of websites containing sensitive data. This is why CAs and digital certificates play a vital role in ensuring digital/internet security.

Amazon Trust Services is a trusted CA that issues digital SSL certificates free to developers who want to encrypt their website or application traffic. It is the root CA for AWS, allowing AWS developers to directly purchase the verified SSL certificates they need from the Amazon ecosystem without having to go to a third-party CA.

Amazon Trust Services: A trustworthy CA

Amazon Trust services operates five root CAs that enable an IT team to provision and deploy several certificate classes:

  • Amazon Root CA 1 uses SHA-256 with a 2,048 bit key;
  • Amazon Root CA 2 uses SHA-384 with a 4,096 bit key;
  • Amazon Root CA 3 uses ECC P-256 (or NIST P-256);
  • Amazon Root CA 4 uses ECC P-384 (or NIST P-384); and
  • Starfield Services Root Certificate Authority-G2 uses SHA-256 with a 2,048 bit key.

AWS Certificate Manager only issues certificates from Amazon Root CA 1 (SHA-256 with a 2 KB key), which browsers recognize as a valid CA. For additional validation, Starfield Services Root Certificate Authority-G2 cross-signs those certificates; and Starfield Class 2 Certification Authority cross-signs them again.

Core components of public key infrastructure

AWS purchased the Starfield Services CA, a root that has been valid since 2005 and found in most browsers. This ensures the ubiquity of the Amazon Trust Services CA so developers don't need to take any additional action to use any of its issued certificates.

Common web browsers and operating systems automatically trust CA issued by Amazon Trust Services. The process of adding a certificate to a server depends on the OS: Windows Server, macOS, Ubuntu or Red Hat Enterprise Linux/Fedora/CentOS.

While Amazon Trust Services provides free certificates that AWS users sign, an IT team must still obtain and pay for certificates. They can also upload a non-Amazon Trusted Services certificate to the AWS Certificate Manager, however. Amazon Trust Services Certificate Policy describes Amazon's policies and practices for issuing public certificates.

Certificates encrypt data

Amazon Trust Services uses certificate management to implement strong data security in the AWS public cloud. An SSL certificate is a small data file that provides a cryptographic key tied to a company's unique information. A certificate ensures that each key is truly unique and trustworthy. When a certificate is deployed, one end of the SSL link establishes identity and trust for the other end. But an IT team does not produce certificates itself. A third-party CA, such as Amazon Trust Services, issues certificates. The certificate's key is tied to the identity of the CA, verifying that the certificate is genuine -- a process called signing the certificate.

AWS Certificate Manager

In addition to securing communications and data, an SSL certificate helps improve a site's search rankings. However, SSL/TLS certificates are time-limited and usually valid for only one year. After expiring, a certificate needs to be renewed. IT personnel must manually track and update certificates, which can be a difficult and costly.

Amazon Trust Services works with AWS Certificate Manager to ease certificate management for securing client/server communication, and to implement strong data security in the AWS public cloud. With the AWS Certificate Manager service, users can easily provision, manage and deploy public or private SSL/TLS certificates, and use them with their AWS services (e.g., Elastic Load Balancers or Amazon CloudFront distributions), or with internal connected resources.

Benefits of AWS Certificate Manager are as follows:

  • eliminates the manual processes associated with using and managing SSL/TLS certificates;
  • certifies private keys are protected and stored using strong encryption;
  • handles automatic certificate renewals; and
  • avoids downtime due to misconfigured, revoked or expired certificates.

After receiving a certificate from Amazon Trust Services, click on the padlock symbol in the browser bar of an HTTPS website. It will display that you are on a secured connection that is 'Verified by: Amazon.'

This was last updated in June 2021

Continue Reading About Amazon Trust Services

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality