Enabling TLS for Amazon ECS Service Connect
You enable traffic encryption when you create or update a Service Connect service.
To enable traffic encryption for a service in an existing namespace using the AWS Management Console
-
There are additional IAM permissions required to issue certificates. Amazon ECS provides a managed resource trust policy that outlines the set of permissions. For more information about this policy, see AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity.
Open the console at https://console.aws.amazon.com/ecs/v2
. -
In the navigation pane, choose Namespaces.
-
Choose the Namespace with the Service you'd like to enable traffic encryption for.
-
Choose the Service you'd like to enable traffic encryption for.
-
Choose Update Service in the top right corner and scroll down to the Service Connect section.
-
Choose Turn on traffic encryption under your service information to enable TLS.
-
For Service Connect TLS role, choose an existing role or create a new one.
-
For Signer certificate authority, choose an existing certificate authority or create a new one.
-
For Choose an AWS KMS key, choose an AWS owned and managed key or you can choose a different key. You can also choose to create a new one.
For an example of using the AWS CLI to configure TLS for your service, Configuring Amazon ECS Service Connect with the AWS CLI.