Teemu Vesala
May 31 · 1 min read

Here’s how I’d do it: When going to AWS (or generic cloud), part of the cost and risk management is to use native service as much as possible. So I’d use ELB or ALB for load balancing, Certificate Manage (CM)r to store certs. This is simple part.

Then upgrading the cert at CM — I’d forget the instances. It’s something which you don’t do very often (unless you’ve got plenty of certs). So having idle EC2 instance is waste of time, resourcers, money and adds additional risks.

So what would I do? Combination of Lambda, ECS Fargate and S3. Lambda is triggered once per month or so. It starts the container which does the upgrade. S3 is the persistent storage. So this way there wouldn’t be any unnecessary instances, any unnecessary resources etc.

If the certs must be installed to EC2 instances, still the main of the upgrade is same. Instance has cronjob which checks regularly if there is new cert for it, and if there is, installs it.

    Teemu Vesala

    Written by