Managing Highly Available Private CAs in AWS Certificate Manager

Designing Highly Available Private CAs for Redundancy and Disaster Recovery

Question

Your company is working on a new project.

Certificates need to be issued from private Certificate Authorities.

You would like to create and manage private CAs in AWS Certificate Manager.

As part of the redundancy and disaster recovery plan for the project, the private CAs need to be highly available.

The application should still work even when one AWS region has an outage.

How would you design the private CAs through ACM to meet the redundancy and DR requirements?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - A.

A private CA in ACM is a highly available service.

However, its scope is within an AWS region.

You need to create multiple CAs that run independently in at least two regions for redundancy and disaster recovery.

For details, please refer to.

https://docs.aws.amazon.com/acm-pca/latest/userguide/ca-best-practices.html.

Option A is CORRECT: As multiple root CAs work independently in different regions, the private CAs are still functional even if one region has an outage.

Option B is incorrect: Because ACM is not a global service and private CAs should be installed in multiple regions.

Option C is incorrect: Because the limitation of the method is that there is no redundant root CA in the event of a disaster that affects the AWS Region in which your root CA exists.

Option D is incorrect: Because in ACM, you cannot import a private CA.

You need to create a new private CA in a different region.

The correct answer for this question is A. Create multiple root CAs in two different AWS Regions in ACM. Each root CA and its subordinate CAs operate independently in an AWS region.

Explanation:

To meet the redundancy and disaster recovery requirements, the private CAs should be highly available, and the application should still work even when one AWS region has an outage. To design the private CAs through ACM to meet these requirements, the following approach can be used:

A. Create multiple root CAs in two different AWS Regions in ACM. Each root CA and its subordinate CAs operate independently in an AWS region.

By creating multiple root CAs in two different AWS regions, the private CAs are highly available and can continue to function even if one of the regions is down. This approach provides regional redundancy by creating independent roots in different regions. Each root CA and its subordinate CAs operate independently in their respective regions. The certificate issuance process is isolated from the other region's CAs, ensuring that each region is not dependent on the other. In the event of a disaster, the application can continue to function by using the other region's private CAs.

B. Create root and subordinate CAs in ACM. As ACM is a global service, all CAs installed are configured in different regions automatically.

Although ACM is a global service, creating CAs in different regions is not automatic. While the root CA created in ACM is a global object, the subordinate CAs need to be created in the region where the private keys and certificates will be stored. If a region goes down, the entire private CA hierarchy may fail. Therefore, this approach does not meet the redundancy and disaster recovery requirements.

C. Create a root CA in one region through AWS Certificate Manager. Create several redundant subordinate CAs that chain to the root CA in other regions.

Creating a root CA in one region and creating several redundant subordinate CAs that chain to the root CA in other regions can provide redundancy, but it does not provide regional redundancy. The subordinate CAs still depend on the root CA in one region. Therefore, if that region goes down, the entire private CA hierarchy may fail, which does not meet the redundancy and disaster recovery requirements.

D. Create a root CA in ACM in one region. Export the CA from ACM and import to ACM in another region to provide extra redundancy.

Exporting the CA from ACM and importing it to another region does not provide regional redundancy. The root CA in one region still controls the subordinate CAs in the other region. Therefore, if the root CA's region goes down, the entire private CA hierarchy may fail, which does not meet the redundancy and disaster recovery requirements.