By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Share domain and SSL certificate within member accounts in an organization

0

I am not finding much information on how to share some resources within an organization. The Resource Access Management does not seem to have domains, hosted zones or SSL certificates amongst its resources. So my question is: Is it possible to share domain and SSL certificate within accounts in an organization?

Suppose I have an account 019735371715 which is the managing account of an organization. In this account I've purchased Route 53 domain: foo.io In this account I also have a hosted zone associated to foo.io and a SSL certificate (in certificate Manager) associated to foo.io and *.foo.io

I have created some member accounts within the organization from my managing account: ***804 and ***753

I want to treat this accounts as "environments" for my product so I want ***804 to have resources accessible through an Api Gateway and subdomain test.foo.io and I want ***753 to have resources accessible through an Api Gateway and no subdomain, so foo.io

That means that when creating resources in those member accounts I need to use the domain purchased by the managing account and, possibly the hosted zone and the SSL certificate.

Is this possible? How would I do that? Can I do that and have each member account have its own Api Gateway and DNS records?

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliveryManagement & GovernanceSecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS OrganizationsAWS Certificate ManagerAWS Account ManagementDomain Name System (DNS)
Language
English
rePost-User-0190152
asked 9 months ago410 views
1 Answer
0

You can not share domains or certificates across Accounts nor certificates across regions either. This is more of an architecture design.

2 Ways to deal with this.

Option 1

  1. What you need to do is create the ACM certificate in the member accounts.
  2. Then create the CNAME records in the Account which has the hosted zone so that ACM can validate and issue the certs in the member acconuts.
  3. The cert is issued in the member account and you can tie your resources to the cert.
  4. If you need any records creating you create them in the account which hosts the route53 zone..

Option 2

  1. Use sub domains for each account...
  2. Your Top domain would be example.com
  3. You create a subdomain in member account 1 called, sub-domain1.example.com
  4. Create NS records in the example.com zone for sub-domain1.example.com
  5. You request all your certs in this member account and create the dns records in this account in the sub domain zone.

Either way yes you can have each member account to have its own resources such as an ALB and API Gateway etc

Note: You can grant access to resolve private zones between VPC's

profile picture
EXPERT
Gary Mclean
answered 9 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 9 months ago
  • Riku_Kobayashi EXPERT
    9 months ago

    I agree with this answer. Certificates issued by ACM are account-specific resources. Therefore, if the resource using the certificate is under a different account, please issue the certificate under the same account. https://repost.aws/knowledge-center/acm-export-certificate

  • rePost-User-0190152
    9 months ago

    Thanks for the info. I have a question with option 2. I know I can create a public hosted zone for example.com in a member account (which creates NS and SOA records) and issue a certificate associated to sub-domain1.example.com (which requires creating a CNAME record also). But this certificate keeps in pending validation. How does AWS know I own the example.com domain if anyone is able to create a hosted zone for that domain in any account?

    Does that mean that, in addition to creating CNAME record in each public hosted zone in the member accounts, I need to also create it in the managing account's hosted zone which owns the domain?

  • Gary Mclean EXPERT
    9 months ago

    Anyone can create any domain in their aws account. It’s the same as hosting your own dns server on the internet with any domain name. This is not an AWS thing. You can create a gmail.com domain if you want etc. The only way the dns zone works is when you update the registar glue records to point the correct name servers for name resolution.

  • Gary Mclean EXPERT
    9 months ago

    You can host the top level domain dns zone anywhere. It doesn’t have to be AWS. You don’t have to use AWS for DNS either. It doesn’t have to be in the management account.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content