New – Use your own TLS certificates with Amazon WorkLink
Amazon WorkLink is a fully managed service that gives your employees secure and straightforward access to internal corporate websites and web apps using their mobile phones. When signing up for Amazon WorkLink, you are required to associate your company domains. You can associate domains using the AWS Management Console, SDK, or AWS CLI.
AWS has heard from customers that using existing TLS certificates greatly simplifies their deployments. We are excited to announce that Amazon WorkLink now allows you to associate domains using TLS certificates secured with AWS Certificate Manager (ACM) in your account. This blog post describes this new feature and how you can take advantage of it when setting up Amazon WorkLink. For more information about getting started with Amazon WorkLink, see the Amazon WorkLink Administration Guide before following the steps in this post.
To follow the steps in this post, you need the following:
- An AWS account. For more information, see Sign up for AWS.
- An IAM user or role with AmazonWorkLinkFullAccess and AWSCertificateManagerFullAccess. permissions. For more information, see Create an IAM user.
- An Amazon WorkLink fleet. For more information, see Create a Fleet.
Securing TLS Certificates with AWS Certificate Manager
You can manage TLS certificates for your company domains with AWS Certificate Manager (ACM). With ACM, you can import your existing certificate or create a new certificate if you don’t already have one. ACM certificates used to associate domains with Amazon WorkLink must be created in the US East (N. Virginia) Region. You need an ACM certificate in the Issued state before you use the Amazon WorkLink console, SDK, or CLI to associate a company domain. For more information about ACM, see AWS Certificate Manager.
ACM certificates that can be used with Amazon WorkLink
You can use three types of certificates to associate domains with Amazon WorkLink. Single-domain certificates are used to secure one domain name or subdomain. For example, you may secure a certificate for corp.example.com. In that case, mail.example.com is not be secured with the same certificate. Multi-domain or Subject Alternative Name (SAN) certificates can secure multiple domain names. For example, you may use the same certificate to secure login.example.com and mail.corp.com. Wildcard certificates are used to secure several site names in the same domain. For example, a wildcard certificate for *.example.com secures mail.example.com, login.example.com, images.example.com, and any other subdomain of *.example.com.
Associating Domains with Amazon WorkLink using ACM Certificates
You can use Amazon WorkLink to enable access to any domain for which you own a TLS certificate. To associate a domain from the Amazon WorkLink console, go to the Fleets page, select a fleet, and choose View details.
- Choose Domains, Associate domain.
- Under Domain name, type the web address of the site that you want to secure with a TLS certificate.
- Under Display name, enter a user-friendly name that is unique to your AWS account and can be easily searched, and choose Next.
- Under Certificate, use the drop-down menu to find the ACM certificate for that domain. We automatically look up the certificate for your domain with ACM.
- Choose Submit.
In this post, we reviewed a new Amazon WorkLink feature that lets you associate company domains using TLS certificates managed with ACM in your own account. This update makes the signup process more efficient. You no longer are required to provide proof of ownership of company domains associated with Amazon WorkLink. Company domains already associated with Amazon WorkLink are not impacted by this change and remain available for your users.