Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Workspaces with trusted device by AWS Private CA

0

Customer want to deploy a "secure" AWS workspaces by only trust "specific device" within their office environment. Based on the following link, we can use "certificate" to trust the device. While based on AWS CA hierarchy best practice, we should have at least two tier CA (root + subordinate).

https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html https://docs.aws.amazon.com/acm-pca/latest/userguide/ca-hierarchy.html

Thus, we have two questions:

  1. Can we only use "single" root CA to issue certificate for Workspace users? (i.e. no subordinate CA in the design)

  2. Although "Root + subordinate" CA provide better security, each AWS private CA costs US$400. Under this situation, should we charge 2 x $400 for two CA even it is under the "same" hierarchy?

Temas
Computación de usuario finalSeguridad, identidad y cumplimiento
Etiquetas
Amazon WorkSpacesAWS Certificate Manager
Idioma
English
AWS
Samuel
preguntada hace 4 años565 visualizaciones
1 Respuesta
0
Respuesta aceptada

  1. Yes. Designing a CA hierarchy (as you mention) is following security best practices. but still, you can choose to have just one PCA in place for this project. As usual, customer is responsable for taking these decisions, knowing and accepting the risks.

  2. ACM-PCA pricing is based per PCA. So yes again, if you have a Root + Subordinate you will have to pay for both, regardless if they are or are not under same hierarchy.

AWS
EXPERTO
Rodrigo@AWS
respondido hace 4 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante