Adding encryption to a website has always been more complex than it ought to be, but yesterday Amazon announced a way to simplify the process for AWS users.
AWS Certificate Manager automates the registration and renewal of SSL/TLS certificates for AWS Elastic Load Balancers and Amazon CloudFront distributions. There are no charges incurred by using AWS Certificate Manager itself, and the certificates cost nothing. Also, as with Amazon's other encryption management products, it provides a single point of storage for SSL/TLS certificates used on AWS.
Previously, deploying SSL/TLS encrypted sites on AWS meant the certificates used on the sites had to be managed manually -- a process so complex that even Microsoft, Yahoo, and Google sometimes forget to renew a certificate, with potentially disastrous results.
Amazon's solution stands apart from projects like Let's Encrypt, which also provides Web encryption certificates for free. Let's Encrypt goal is to allow easy deployment of certificates on Web servers, so the process of keeping certificates current is no more complicated than running a scheduled task.
In contrast to Let's Encrypt, AWS Certificate Manager doesn't actually deploy certificates to AWS-hosted servers. Instead, the services to which it deploys -- AWS Elastic Load Balancers and Amazon CloudFront distributions -- support SSL offload. EC2 instances that need SSL/TLS are placed behind or proxied with those services, and the actual encryption is off-loaded to the load balancer or CloudFront.
This makes sense for Amazon's larger customers, since it's far easier to manage a single front-end SSL instance than a slew of back-end instances. Amazon also claims this process means individual EC2 instances have to do less encryption and decryption work, although the main burden with SSL/TLS isn't CPU load, but connection latency. Those customers running EC2 instances not front-ended with a load balancer or CloudFront may be best off with a service like Let's Encrypt, where they can obtain certificates for free and keep them automatically updated.
Certificate Manager currently is available in only one region -- the Eastern United States -- but other regions will come online later. Plans are also in the works to add Certificate Manager support to "other AWS services and for other types of domain validation."