AWS Certificate Manager Cheat Sheet

• AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services. It removes the manual process of purchasing, uploading, and renewing certificates.
• Public Certificates (Free): Secure public-facing websites (e.g., www.example.com). These are trusted by browsers by default.
• Private Certificates (Paid): Secure internal resources (e.g., database servers, internal APIs, IoT devices) within a private network.
• Auto-Renewal: ACM automatically renews certificates (both public and private) if they are in use by an integrated AWS service and configured correctly.

Features

• Certificate Re-Import
  • ACM allows re-import of a certificate into the same ARN if the previous certificate is missing the ClientAuth EKU.
  • Addresses industry changes where certificate authorities no longer issue certificates with ClientAuth EKU.
• TLS Web Client Authentication Updates
  • ACM now handles certificates with the TLS Web Client Authentication extension differently.
  • Example references to this extension have been removed to avoid confusion.
• Exportable Public Certificates
  • ACM public certificates can now be exported for use outside integrated services.
• HTTP Validation for CloudFront
  • ACM now supports HTTP validation for CloudFront distributions in addition to DNS and email validation.

• Email Validation Deprecation
  • MX email validation is no longer supported.
  • WHOIS email verification is being deprecated and limited in favor of DNS validation.
• Account-Level Best Practices
  • Policies should use account-level separation wherever possible.
  • Permissions can also be restricted using encryption context condition keys.
• IAM Condition Key Support
  • ACM now supports IAM condition keys when requesting certificates.
  • See supported conditions in AWS documentation for details.
• ECDSA & Key Algorithm Support
  • ACM now supports Elliptic Curve Digital Signature Algorithm (ECDSA) for public certificates.
  • Additional RSA and EC key algorithms are supported when importing certificates.
• Monitoring & Logging Enhancements
  • Added CloudWatch metrics and events for certificate expiration, availability, and renewal action required.
  • Monitoring and logging moved to its own chapter, covering CloudWatch Metrics, CloudWatch Events/EventBridge, and CloudTrail.
• Cross-Account Private CA Support
  • Private CAs can now be used cross-account for private certificate issuance.

Integration & Regionality

ACM is not a global service; it is regional. You must understand where to request your certificate based on the service you are using.

Integrated Services

You can deploy ACM certificates only to specific integrated services. You generally cannot install a public ACM certificate directly on a standalone EC2 instance (you would need to use a Load Balancer or export a private cert).

• Elastic Load Balancing (ALB, NLB)
• Amazon CloudFront
• Amazon API Gateway
• AWS Elastic Beanstalk
• AWS CloudFormation
• AWS Nitro Enclaves

The “CloudFront Rule” (Critical Exam Topic)

To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) us-east-1 region.

• • Why? CloudFront is a global service, and its certificate management is centralized in us-east-1.

Renewal Logic: Managed vs. Imported

Understanding who is responsible for renewal is the #1 troubleshooting topic for ACM.

• Amazon-Issued (Public)

  • Renewal Type: Automatic

  • Responsibility: AWS. ACM automatically renews the certificate 60 days before expiration if it is associated with an integrated service (like an ALB).

• Imported (3rd-Party)

  • Renewal Type: Manual

  • Responsibility: You. ACM cannot renew certificates you imported yourself (e.g., from GoDaddy). You must monitor the expiration and manually import a new version.

• AWS Private CA

  • Renewal Type: Automatic

  • Responsibility: AWS. ACM can automatically renew private certificates issued by a Private CA if they are used with integrated services.

Concepts

• X.509 v3 Certificates: The standard format used.
• Validity Period: Public ACM certificates are valid for 13 months (395 days).
  • Note: You cannot change this period for public certs.
• Private Key Security:
  • Public Certs: You cannot download the private key. It is managed internally by AWS.
  • Private Certs: If exported from AWS Private CA, you can access the private key.
  • Encryption: ACM uses a unique, AWS-managed KMS key (alias aws/acm) to encrypt the private keys at rest.
• Immutable Domains: You cannot add/remove domains from an existing certificate. You must request a new certificate with the updated list.
• Deletion Rule: You cannot delete a certificate while it is in use by an AWS resource (e.g., attached to a Load Balancer). You must disassociate it first.

2024/2025 Deprecation Notice: As of August 2024, ACM has stopped cross-signing public certificates with the legacy Starfield Class 2 root. New certificates now chain to Starfield Services G2. This ensures compatibility with modern browsers (Chrome/Mozilla) which will distrust the old root in 2025.

Certificate Types & Pricing Models

• Public Certificates (Standard)
  • Scope: Public internet-facing sites (e.g., www.google.com).
  • Cost: Free.
  • Renewal: Fully Managed/Automatic by ACM (if using DNS validation and the cert is in use).
  • Restriction: Can only be used with integrated AWS services (ALB, CloudFront, API Gateway). You cannot export these for use on an EC2 instance directly.
• Imported Certificates

• • Scope: Using a 3rd-party cert (e.g., DigiCert, GoDaddy) on AWS resources.
  • Cost: Free to import.
  • Renewal: Manual. ACM cannot renew these. You are responsible for monitoring expiration and re-importing the new file.
• AWS Private CA (Formerly ACM Private CA)
  • A paid service for creating a complete internal CA hierarchy (Root CA -> Subordinate CA).
  • Two Operating Modes (Critical Exam Distinction):

• • • General-Purpose Mode
      • Use Case: Standard internal servers, VPNs, databases.
      • Cost: ~$400/mo per CA.
      • Validity: Any duration (e.g., 1 year).
    • Short-Lived Certificate Mode
      • Use Case: Containers (EKS/ECS), Service Mesh, high-volume ephemeral fleets.
      • Cost: ~$50/mo per CA.
      • Validity: 7 days or less.

Domain Validation Methods

Before issuing a public certificate, ACM must verify you own the domain.

1. DNS Validation (Best Practice):
   • ACM provides a CNAME record to add to your DNS (Route 53 or external).
   • Benefit: Enables Automatic Renewal forever (as long as the CNAME record exists).
2. Email Validation:
   • Sends an email to the registered domain contacts (WHOIS).
   • Drawback: Requires human action to click a link. WHOIS lookup support is being deprecated/limited in favor of DNS.

3. HTTP Validation (Niche):
   • Only available for certificates issued specifically for Amazon CloudFront.

AWS Certificate Manager Pricing

• Public SSL/TLS: Free. You pay only for the resources you attach them to (e.g., the Load Balancer).
• AWS Private CA: Paid.
• Monthly Fee: ~$400 per CA (General Mode) or ~$50 per CA (Short-Lived Mode).
• Per-Certificate Fee: Sliding scale (e.g., starting at $0.75/cert).
• Imported Certificates: Free to import and manage.

• Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.
• 
• Validate Your Knowledge
• Question 1
• A website is hosted in an Auto Scaling group of EC2 instances behind an Application Load Balancer in US West (N. California) region. There is a new requirement to place a CloudFront distribution in front of the load balancer to improve the site’s latency and lower the load on the origin servers. The Security Engineer must implement HTTPS communication from the client to CloudFront and then from CloudFront to the load balancer. A custom domain name must be used for your distribution and the SSL/TLS certificate should be generated from AWS Certificate Manager (ACM).
• How many certificates should be generated by the Engineer in this scenario?

1. Generate one certificate in the US West (N. California) region and one in the US East (Virginia) region.
2. Generate two certificates in the US West (N. California) region.
3. Generate one certificate in the US West (N. California) region.
4. Generate one certificate in the US West (N. California) region and use the CloudFront default certificate in the US East (Virginia) region.

• Show me the answer!
• Correct Answer: 1
• CloudFront assigns a default domain name to your distribution, for example, d111111abcdef8.cloudfront.net. If you use this domain name, then you can use the CloudFront default SSL/TLS certificate already selected for your distribution. If you use a different domain name for your distribution, it’s a best practice to do one of the following to avoid domain name-related certificate warnings:
• – Request a public certificate from the AWS Certificate Manager.
• – Import certificates into AWS Certificate Manager.
• To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.
• 
• If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin and you’re using an ELB load balancer as your origin, you can request or import a certificate in any region.
• Hence, the correct answer is: Generate one certificate in the US West (N. California) region and one in the US East (Virginia) region. 
• The option that says: Generate two certificates in the US West (N. California) region is incorrect because you only need 1 certification in US West (Oregon) region for your CloudFront and your origin (ELB) HTTPS connection. The second one should be a certificate in the US East (Virginia) region to handle HTTPS between your Viewers and CloudFront distribution.
• The option that says: Generate one certificate in the US West (N. California) region is incorrect because a single certificate is not enough. You can’t use a certificate generated from US West for your CloudFront distribution. You have to generate and use another one in the US East (Virginia) region.
• The option that says: Generate one certificate in the US West (N. California) region and use the CloudFront default certificate in the US East (Virginia) region is incorrect because the scenario clearly says that you have to use a custom domain name for your distribution, and not the default one. Hence, you have to use a certificate generated from, or imported to, ACM.
• References:
  https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
  https://aws.amazon.com/certificate-manager/faqs/?nc=sn&loc=5
  https://aws.amazon.com/premiumsupport/knowledge-center/install-ssl-cloudfront/
• SNI Custom SSL vs Dedicated IP Custom SSL:
  https://tutorialsdojo.com/sni-custom-ssl-vs-dedicated-ip-custom-ssl/
• Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.