Multi-Cloud Certificate Discovery: AWS, Azure, and GCP

The Multi-Cloud Certificate Challenge

Modern enterprises increasingly adopt multi-cloud strategies, deploying workloads across AWS, Azure, and GCP. This creates significant challenges for certificate management:

• Fragmented visibility: Certificates scattered across cloud providers
• Different tools: Each cloud has its own certificate management service
• Inconsistent policies: Varying configurations across environments
• Compliance gaps: Difficulty maintaining unified compliance posture

Why Certificate Discovery Matters

Without comprehensive discovery, organizations face:

• Unknown certificate exposures
• Surprise expirations and outages
• Compliance audit failures
• Security blind spots

AWS Certificate Discovery

AWS Certificate Manager (ACM)

ACM manages certificates for AWS services:

# List all ACM certificates
aws acm list-certificates --region us-east-1

# Get certificate details
aws acm describe-certificate --certificate-arn arn:aws:acm:...

AWS Services with Certificates

Discover certificates in:

• Elastic Load Balancers: ALB, NLB, Classic LB
• CloudFront: CDN distributions
• API Gateway: Custom domain certificates
• Elastic Beanstalk: Application certificates
• EC2 Instances: Custom-deployed certificates

EC2 Instance Certificate Scanning

For certificates on EC2 instances:

1. Deploy TigerTrust Agent to instances
2. Scan common certificate locations
3. Monitor certificate file changes
4. Report to central management

AWS Integration Methods

import boto3

def discover_acm_certificates(region):
    acm = boto3.client('acm', region_name=region)
    certificates = []

    paginator = acm.get_paginator('list_certificates')
    for page in paginator.paginate():
        for cert in page['CertificateSummaryList']:
            details = acm.describe_certificate(
                CertificateArn=cert['CertificateArn']
            )
            certificates.append(details['Certificate'])

    return certificates

Azure Certificate Discovery

Azure Key Vault

Centralized secret and certificate management:

# List certificates in Key Vault
az keyvault certificate list --vault-name myVault

# Get certificate details
az keyvault certificate show --vault-name myVault --name myCert

Azure Services with Certificates

Discover certificates in:

• App Service: Custom SSL bindings
• Application Gateway: HTTPS listeners
• Azure Front Door: Custom domains
• Azure CDN: Custom HTTPS
• Azure API Management: Custom domains

Azure Integration

from azure.identity import DefaultAzureCredential
from azure.keyvault.certificates import CertificateClient

def discover_keyvault_certificates(vault_url):
    credential = DefaultAzureCredential()
    client = CertificateClient(vault_url, credential)

    certificates = []
    for cert in client.list_properties_of_certificates():
        cert_details = client.get_certificate(cert.name)
        certificates.append({
            'name': cert.name,
            'expires': cert_details.properties.expires_on,
            'thumbprint': cert_details.properties.x509_thumbprint
        })

    return certificates

GCP Certificate Discovery

Google Cloud Certificate Manager

# List certificates
gcloud certificate-manager certificates list

# Describe certificate
gcloud certificate-manager certificates describe CERT_NAME

GCP Services with Certificates

Discover certificates in:

• Cloud Load Balancing: HTTPS load balancers
• Cloud Run: Custom domains
• GKE Ingress: Kubernetes ingress certificates
• Compute Engine: VM instance certificates
• Cloud Functions: Custom domain certificates

GCP Integration

from google.cloud import compute_v1

def discover_gcp_ssl_certificates(project_id):
    client = compute_v1.SslCertificatesClient()

    certificates = []
    for cert in client.list(project=project_id):
        certificates.append({
            'name': cert.name,
            'domains': cert.subject_alternative_names,
            'expires': cert.expire_time,
            'type': cert.type_
        })

    return certificates

Unified Multi-Cloud Discovery

Architecture for Multi-Cloud CLM

A comprehensive multi-cloud certificate discovery solution should include:

1. Cloud Connectors: Native integrations with each cloud provider
2. Agent Deployment: Lightweight agents for VM-level discovery
3. API Integration: Direct API access for managed services
4. Centralized Dashboard: Unified view across all clouds
5. Continuous Scanning: Regular discovery sweeps

Implementation Strategy

Phase 1: Connect Cloud Accounts

1. Configure AWS credentials (IAM roles recommended)
2. Set up Azure service principals
3. Create GCP service accounts
4. Validate connectivity and permissions

Phase 2: Initial Discovery

1. Run comprehensive scan across all clouds
2. Import discovered certificates
3. Identify owners and assign responsibility
4. Categorize by criticality

Phase 3: Continuous Monitoring

1. Schedule periodic discovery scans
2. Detect new certificates automatically
3. Track certificate changes
4. Alert on new discoveries

Cross-Cloud Certificate Policies

Implement consistent policies across clouds:

• Naming conventions: Standardize certificate naming
• Key requirements: Minimum key sizes, algorithms
• Validity periods: Maximum certificate lifetimes
• Renewal thresholds: When to trigger renewal alerts

Advanced Discovery Techniques

Network-Based Discovery

Complement cloud API discovery with network scanning:

• SSL/TLS port scanning across cloud VPCs
• Certificate chain analysis
• Protocol version detection
• Cipher suite enumeration

Container Environment Discovery

For containerized workloads:

• Kubernetes secret scanning
• Service mesh certificate extraction
• Container image certificate detection
• Runtime certificate monitoring

CI/CD Pipeline Integration

Discover certificates in deployment pipelines:

• Scan infrastructure-as-code for certificate definitions
• Monitor certificate deployments through pipelines
• Validate certificates before production deployment

Reporting and Compliance

Multi-Cloud Certificate Inventory

Generate comprehensive reports:

• Certificate inventory by cloud provider
• Expiration timeline across all clouds
• Compliance status per environment
• Risk assessment and prioritization

Compliance Mapping

Map certificates to compliance requirements:

• PCI DSS scope and controls
• SOC 2 certificate management
• GDPR data protection certificates
• Industry-specific requirements

Conclusion

Multi-cloud certificate discovery is essential for modern enterprise security. By implementing comprehensive discovery across AWS, Azure, and GCP, organizations can gain complete visibility into their certificate landscape, prevent outages, and maintain compliance.

TigerTrust provides enterprise-grade multi-cloud certificate discovery with native integrations for all major cloud providers, unified dashboard visibility, and automated continuous monitoring.