Skip to content

Commit d9273f6

Browse files
iw-ezequieliw-ezequiel
authored
Merge pull request #232 from NHSDigital/cert-expiry-mgmt
Prefer auto-renew certs where appropriate
2 parents 54b9b4e + 9ccba7a commit d9273f6

File tree

2 files changed

+3
-0
lines changed

2 files changed

+3
-0
lines changed

patterns/outsource-bottom-up.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,8 @@ Use managed services where available and appropriate. The aim is to reduce opera
2525
* TO DO: close discussion about whether containers are still preferable in some use-cases
2626
* For data persistence prefer (where there are no other differentiating factors) pay per request options (e.g. Amazon DynamoDB, S3) to pay per time choices (e.g. Amazon Aurora or RDS).
2727
* In general, prefer solutions which do not involve managing VMs if possible, and ideally where there is no explicit configuration of a network (e.g. subnets, internet gateways, NAT gateways) — compare AWS Lambda which needs no network with AWS Fargate which does.
28+
* Where possible, outsource the management (including renewal) of certificates (e.g. via [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/))
29+
* Where that isn't possible, still prefer outsourcing the management of alerting for certificate expiry (see [observability](../practices/observability.md))
2830

2931
## Cloud native vs cloud agnostic
3032

practices/observability.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
* Tracing can be implemented using cloud platform-native tools like [AWS X-Ray](https://aws.amazon.com/xray/) or open source equivalents such as [OpenTracing](https://opentracing.io/docs/overview/what-is-tracing/). APM tools mentioned elsewhere also typically include tracing functionality.
3939
* More **things to monitor**.
4040
* Monitor (and generate alerts for) the expiry dates of the SSL certificates within the service. See [acm-cert-monitor](../tools/acm-cert-monitor/) for an example lambda and Terraform stack to monitor your AWS ACM certificates.
41+
* Or, even better, outsource certificate management completely (see [outsource from the bottom up](../patterns/outsource-bottom-up.md))
4142
* Subscribe to service alerts from your cloud vendors, e.g. the service-status RSS feeds for [AWS](https://status.aws.amazon.com) and [Azure](https://status.azure.com/status/).
4243
* Ensure you have reporting and alerting for the health of any services/components your service relies on, e.g. shared network connections or shared authentication services.
4344
* **Secret / sensitive data**.

0 commit comments

Comments
 (0)