Configuring Amazon CA

To configure the Amazon CA
  1. Go to menu > KUBE+ > CLUSTER PKI > Certificate Authority
  2. Select Amazon from the left-side vendor list.
    The Amazon home page is displayed.
  3. To configure Amazon CA, click the ACM CA tab from the home page.
  4. Click the Configure Now or +Add icon from the middle or top-right of the page respectively.
    Note: The Configure Now option is displayed if you are configuring a CA for the first time.
    The Amazon configuration page is displayed.
  5. Enter/Select the following details in the General Information section:
    Table 1. General Information - Field Description Table
    Field Description
    *Account Type From the dropdown list, select one of the following account types:
    • Standalone (Traditional access key- and secret key-based communication)
    • Cross or Federated (Authentication using assume role)
    *Account Name Unique name for the certificate authority (CA) account represented during certificate enrollment and policy creation
    *Account Number

    Valid AWS account number
    Account Description Additional information related to the CA account being configured
    *Purpose/Usage

    Certificate Type for which CLM actions will be enabled. The available options are,

    • Server
    • Client.
    Proxy Required Enable this field if the CA communication needs to happen via Proxy. The proxy details configured in general settings will be used for communication.
    *Default Region Default region for API communication
    *Data Center (AppViewX's CA agent) Select the data center through which the CA communication needs to happen.
  6. Enter/Select the following Credentials-related information:
    Table 2. Credentials - Field Description Table
    Field Description
    Credential type*

    From the dropdown list, from the following options, select the credential type:

    • Manual Entry: Manually enter the access and secret key for the customer’s AWS account)
    Access key*

    Enter the access key for the customer’s AWS account.

    Note: This field is displayed only when Credential type is set to Manual Entry.
    Secret key*

    Enter the secret key for the customer’s AWS account.

    Note: This field is displayed only when Credential type is set to Manual Entry.
  7. Enter/Select the following details in the Discover resources section:
    Table 3. Discover Resources - Field Description Table
    Field Description
    Role ARN for Resource Discovery*
    Note: This field is displayed only when Account Type is Cross or Federated.
    To let the master account assume role for the child account (get temporary privileges to discover resources from the child account), configure the role ARN for resource discovery:
    1. Click .
    2. Enter the following details:
      Field Description
      Role Session name

      Role Session name is an identifier for the assumed role session.

      Use the Role Session name to uniquely identify a session when the same rule is assumed by different principals or for different reasons.
      Duration Seconds

      Enter the duration, in seconds, for which the credentials should remain valid.

      Acceptable durations for IAM user sessions:

      • Minimum: 900 seconds (15 minutes)

      • Maximum: 129,600 seconds (36 hours)

      Default: 3600 seconds (1 hour)
      External Id External Id is a unique identifier that might be required when you assume a role in another account.
      Source Identity The source identity is specified by the principal that is calling the AssumeRole operation.
      Session Tags

      Session Tags are key-value pairs that you pass when you assume an IAM role or federate a user in AWS STS.

      To create a session tag:

      1. In the Enter Key field, enter a key for the key-value pair.

      2. In the Enter Value field, enter a value for the key-value pair.

      3. Click Add.

      The added key-value pair is shown in the table below the fields.
    Service Region*

    To select a service region:

    1. To fetch the service regions for the account information provided, click Fetch Region.

      The retrieved service regions are populated in the Select the Region(s) dropdown list.

    2. From the Select the Region(s) dropdown list, select the required service region.
    Discover Certificate To enable instant certificate discovery at the time of device addition, select this checkbox.
    Cert Sync*

    Select from one of the following options:

    • Managed: AppViewX will connect with the customer’s AWS account and discover certificates. These certificates will be added to the inventory. Users with the relevant permissions can then perform the required certificate-related actions.
    • Monitored: AppViewX will connect with the customer’s AWS account and discover certificates. These certificates will be added to the inventory where the users will be allowed to only view the certificates.
    • Ignored: AppViewX will connect with the customer’s AWS account but certificate discovery will be disabled.
    Auto Sync
    To enable/disable automatic schedule-based synchronization:
    1. For Auto Sync, select the Yes checkbox.
    2. For Schedule based discovery, use the two dropdown lists to select a duration. For example, to schedule the auto sync after every 2 days, from the first dropdown list, select 2 and from the second dropdown list, select Days.

      By default, the auto sync is set to 1 Hours.

      Note: The Schedule based discovery dropdown lists are displayed only when Auto Sync is enabled.
    Route53 Zone Auto Approval To support DNS validation as an automatic process, enable this toggle.
    Important: If Route53 has been configured for any of the older Amazon Public CAs, ensure that, after migration, the zones are manually updated.