Amazon Trust Services

Amazon Trust Services is a certificate authority created and operated by Amazon Web Services. Amazon Trust Services works with the AWS Certificate Manager service to simplify certificate management and ensure secure communication between a client and a server.

The AWS Certificate Manager can help an IT team overcome the complex, error-prone manual tasks involved with creating Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates; it enables an administrator to provision, deploy and automatically renew certificates. A user can request a new certificate and deploy it to other Amazon services, including Elastic Load Balancing and Amazon CloudFront.

While Amazon Trust Services provides free certificates that AWS users sign, an IT team must still obtain and pay for certificates. In addition, an IT pro can upload a non-Amazon Trust Services certificate to the AWS Certificate Manager.

Amazon Trust Services operates five root CAs that enable an IT team to provision and deploy several certificate classes:

  • Amazon Root CA 1 uses SHA-256 with a 2,048 bit key
  • Amazon Root CA 2 uses SHA-384 with a 4,096 bit key
  • Amazon Root CA 3 uses ECC P-256 (or NIST P-256)
  • Amazon Root CA 4 uses ECC P-384 (or NIST P-384)
  • Starfield Services Root Certificate Authority-G2 uses SHA-256 with a 2,048 bit key

AWS Certificate Manager only issues certificates from Amazon Root CA 1 (SHA-256 with a 2 KB key), which browsers recognize as a valid CA. For additional validation, Starfield Services Root Certificate Authority-G2 cross-signs those certificates; and Starfield Class 2 Certification Authority cross-signs them again.

Certificates encrypt data

SSL or TLS technology encryption protects most data as it travels among clients and servers across a LAN or WAN. Amazon Trust Services uses certificate management to implement strong data security in the AWS public cloud.

An SSL certificate is a small data file that provides a cryptographic key tied to a company's unique information. A certificate ensures that each key is truly unique and trustworthy. When a certificate is deployed, one end of the SSL link establishes identity and trust for the other end. But an IT team does not produce certificates itself. A third party certificate authority (CA), such as Amazon Trust Services, issues certificates. The certificate's key is tied to the identity of the CA, verifying that the certificate is genuine -- a process called signing the certificate.

Certificates present cost and management challenges to the business. Certificates are time-limited and typically expire every year, after which it needs to be renewed. A business also pays about $70 per certificate per year. An IT staff must manually track and update certificates, which can be difficult and costly for a business with many secure websites to oversee.

This was last updated in May 2017

Continue Reading About Amazon Trust Services

Dig Deeper on AWS security