AWS Certificate Manager (ACM)¶

What Is This Service?¶

AWS Certificate Manager (ACM) provisions, deploys, manages, renews, and protects TLS/SSL certificates for AWS-integrated services.

Mental model:
ACM = managed certificate lifecycle + AWS-integrated TLS control plane.

ACM removes operational burden around:

Certificate issuance
Validation
Rotation
Renewal
Secure key handling

ACM is not a full enterprise PKI by itself.

Why It Matters for Security¶

Certificates provide:

Encryption (TLS)
Service identity
Authentication
Secure application delivery
Zero-trust trust chains
Mutual TLS (mTLS)

Security outcomes:

Prevent certificate expiration outages
Reduce private key exposure
Centralize trust management
Automate certificate operations
Support internal and external trust

Typical use cases:

HTTPS for ALB
CloudFront edge TLS
API Gateway custom domains
Internal PKI
Service-to-service mTLS
Private enterprise certificates

Core Concepts¶

Public Certificates¶

ACM can issue browser-trusted public certificates.

Characteristics:

Publicly trusted
Free
Automatic renewal
Domain validation required

Supported validation:

DNS validation (recommended)
Email validation

Common pattern:

User
 ↓
CloudFront / ALB
 ↓
ACM Public Certificate

Private Certificates¶

Private certificates require:

AWS Private CA

Characteristics:

Internal trust
Enterprise PKI
Internal APIs
Service authentication

Pattern:

Private CA
     ↓
ACM
     ↓
Internal Services

Certificate Validation¶

ACM verifies domain ownership.

Methods:

DNS Validation (Preferred)¶

ACM provides CNAME.

Benefits:

Fully automated
Supports automatic renewal
Infrastructure-as-code friendly

Exam preference:

DNS > Email

Email Validation¶

Validation sent to:

admin@
administrator@
hostmaster@
webmaster@
postmaster@

Requires manual approval.

Operationally weaker.

Validation Window (HIGH VALUE)¶

Validation requests remain active for:

72 hours

If validation fails:

Status → Timed Out

Must request a new certificate.

Exam trap:

Validation timeout does not retry indefinitely.

Managed Renewal¶

ACM automatically renews certificates.

Requirements:

Certificate actively used
Validation still valid

Exam trap:

Imported certificates do not auto-renew.

Imported Certificates¶

Upload external certificates.

Use cases:

Corporate PKI
Existing CA

Limitations:

Customer renews
Customer manages lifecycle

Certificate Export¶

Public ACM certificates:

❌ Private keys not exportable

Private CA certificates:

✔ Export supported

Important Integrations¶

Elastic Load Balancing (ALB / NLB)¶

Supports:

HTTPS listeners
TLS listeners

ALB:

SNI
Multiple certificates

NLB:

TLS termination

Amazon CloudFront¶

Uses ACM certificates.

Requirement:

Viewer Certificate → us-east-1

Most tested ACM trap.

Amazon API Gateway¶

Supports:

Custom domains
TLS
mTLS

AWS Private CA¶

Provides:

Internal CA hierarchy
Private trust

Frequently paired with ACM.

AWS Resource Access Manager (RAM)¶

Private CA sharing mechanism.

Pattern:

Security Account
     ↓
AWS RAM
     ↓
Organization Accounts
     ↓
Local ACM Requests

Exam nuance:

Developers request locally.

Certificates are signed centrally.

Amazon Route 53¶

Used for:

DNS validation
Automated renewals

Very common architecture.

AWS Verified Access¶

Uses certificates for trust and secure access.

Amazon CloudFront + ACM¶

Very common edge pattern.

Security Features¶

Managed Private Key Protection¶

ACM manages private keys.

Benefits:

Reduced exposure
Secure lifecycle

Public certificates:

❌ Private keys inaccessible

Automatic Certificate Renewal¶

Prevents:

Downtime
Expiration incidents

Certificate Transparency (CT) Logging¶

Public certificates log to CT logs by default.

Purpose:

Detect unauthorized issuance

Exam nuance:

CT logs expose domain existence publicly.

Example:

super-secret.example.com

could become visible.

Opt-out supported for certain scenarios.

Tradeoff:

Less visibility vs browser ecosystem expectations.

Mutual TLS (mTLS)¶

Supports:

Client identity
Service identity

Common with:

API Gateway
Private CA

IAM Authorization¶

Control:

Request
Import
Export
Deployment

permissions.

Advanced Security and Operational Concepts¶

CloudFront Regional Constraint (VERY HIGH VALUE)¶

CloudFront viewer certificates must exist in:

us-east-1

Origin region irrelevant.

Exam trap:

Certificate in eu-west-1 fails.

ACM Does NOT Install Certs onto EC2 (EXCEPT ONE CASE)¶

Standard rule:

ACM → Integrated Services Only

Cannot directly deploy to:

Apache
NGINX
IIS

Traditional solution:

ALB
 ↓
EC2

Nitro Enclaves Exception (ADVANCED)¶

ACM integrates with:

ACM for Nitro Enclaves

Architecture:

ACM
 ↓
Nitro Enclave
 ↓
Private Key Operations
 ↓
EC2 Application

Purpose:

Use ACM certificates directly on EC2 while keeping private keys isolated.

Private keys never exposed to host OS.

Exam trap:

If asked:

"Use ACM certificate directly on EC2"

Look for:

Nitro Enclaves

Apex + Wildcard Strategy (HIGH VALUE)¶

Wildcard:

*.example.com

Does NOT include:

example.com

Best practice:

Request one certificate:

example.com
*.example.com

Single certificate.

Covers both.

ACM vs IAM Server Certificates¶

Legacy:

IAM certificates.

Modern:

ACM.

Exam answer:

Prefer ACM.

Private CA Enterprise Design¶

Recommended hierarchy:

Offline Root CA
     ↓
Subordinate CA
     ↓
AWS Private CA
     ↓
ACM Certificates

Protects root trust.

Cross-Account Certificate Governance¶

Pattern:

Security Account
 ↓
Private CA
 ↓
AWS RAM
 ↓
Organization Accounts
 ↓
ACM Requests

Central trust.

Distributed issuance.

TLS Termination Decisions¶

Terminate at:

CloudFront: - Edge optimization

ALB: - Layer 7 features

NLB: - Performance

Nitro Enclave: - Direct instance TLS

Architecture Example¶

flowchart LR

User

Route53[Route 53]

ACM[ACM]

CF[CloudFront]

ALB[ALB]

App[Application]

PCA[Private CA]

RAM[AWS RAM]

Org[Member Accounts]

User --> CF

Route53 --> ACM

ACM --> CF

ACM --> ALB

CF --> ALB

ALB --> App

PCA --> ACM

PCA --> RAM

RAM --> Org

Workflow(s)¶

Public Certificate Issuance (DNS)¶

sequenceDiagram

participant Admin
participant ACM
participant Route53
participant CA
participant Service

Admin->>ACM: Request certificate

ACM->>Route53: Validation CNAME

Route53->>CA: Verify ownership

CA-->>ACM: Issue certificate

ACM-->>Service: Deploy

ACM->>ACM: Auto renewal

sequenceDiagram

participant Security
participant RAM
participant PrivateCA
participant Member
participant ACM

Security->>RAM: Share Private CA

RAM->>Member: Grant access

Member->>ACM: Request certificate

ACM->>PrivateCA: Issue

PrivateCA-->>ACM: Signed certificate

Nitro Enclave Certificate Processing¶

sequenceDiagram

participant ACM
participant Enclave
participant EC2
participant Client

ACM->>Enclave: Deliver certificate

Enclave->>Enclave: Secure key isolation

Client->>EC2: TLS request

EC2->>Enclave: TLS operations

Enclave-->>Client: Secure session

Comparisons¶

Service	Purpose	Auto Renew	Export Keys	Public Trust
ACM	Managed certificate lifecycle	Yes	No	Yes
ACM Private CA	Internal PKI	Yes	Optional	No
IAM Server Certificates	Legacy storage	No	Yes	Yes
Secrets Manager	Secret storage	Rotation	Yes	No
External CA	Customer-managed PKI	Customer	Usually	Yes

Common Exam Traps¶

CloudFront certificates must exist in us-east-1.
Imported certificates do not auto-renew.
ACM public private keys are not exportable.
DNS validation enables automatic renewal.
Validation expires after 72 hours.
ACM is not enterprise PKI.
Private CA is separate from ACM.
Wildcard does not cover apex.
Best practice = apex + wildcard together.
Cross-account Private CA uses RAM.
CT logging may expose internal subdomains.
ACM cannot install directly on EC2.
Exception → Nitro Enclaves.

5-Second Recall¶

ACM = managed TLS lifecycle
CloudFront → cert in us-east-1
DNS validation preferred
Imported certs → manual renewal
Wildcard ≠ apex
Private CA shared via RAM
Validation window = 72 hours
Nitro Enclaves = ACM on EC2

Quick Revision Notes¶

Public + private certificate management
Automatic renewal for ACM-issued certs
Route 53 commonly automates validation
CloudFront requires us-east-1
Private CA enables internal trust
RAM enables centralized CA governance
CT logging reveals public domains
Imported certificates remain customer-managed
Nitro Enclaves enables direct EC2 certificate usage
Apex + wildcard is common production pattern

AWS Certificate Manager (ACM)¶

What Is This Service?¶

Why It Matters for Security¶

Core Concepts¶

Public Certificates¶

Private Certificates¶

Certificate Validation¶

DNS Validation (Preferred)¶

Email Validation¶

Validation Window (HIGH VALUE)¶

Managed Renewal¶

Imported Certificates¶

Certificate Export¶

Important Integrations¶

Elastic Load Balancing (ALB / NLB)¶

Amazon CloudFront¶

Amazon API Gateway¶

AWS Private CA¶

AWS Resource Access Manager (RAM)¶

Amazon Route 53¶

AWS Verified Access¶

Amazon CloudFront + ACM¶

Security Features¶

Managed Private Key Protection¶

Automatic Certificate Renewal¶

Certificate Transparency (CT) Logging¶

Mutual TLS (mTLS)¶

IAM Authorization¶

Advanced Security and Operational Concepts¶

CloudFront Regional Constraint (VERY HIGH VALUE)¶

ACM Does NOT Install Certs onto EC2 (EXCEPT ONE CASE)¶

Nitro Enclaves Exception (ADVANCED)¶

Apex + Wildcard Strategy (HIGH VALUE)¶

ACM vs IAM Server Certificates¶

Private CA Enterprise Design¶

Cross-Account Certificate Governance¶

TLS Termination Decisions¶

Architecture Example¶

Workflow(s)¶

Public Certificate Issuance (DNS)¶

Private CA Sharing¶

Nitro Enclave Certificate Processing¶

Comparisons¶

Common Exam Traps¶

5-Second Recall¶

Quick Revision Notes¶