Skip to content

AWS Certificate Manager (ACM)

AWS Certificate Manager (ACM) Overview

  • Definition: AWS Certificate Manager (ACM) is a managed service for provisioning, managing, and deploying public and private SSL/TLS certificates for use with AWS services and internal resources.
  • Key Features:
    • Provides public SSL/TLS certificates (free) for AWS-integrated services and private certificates via ACM Private Certificate Authority (CA).
    • Supports automatic certificate issuance, renewal, and deployment.
    • Integrates with CloudFront, ALB, NLB, API Gateway, AppSync, Route 53, and CloudFormation.
    • Offers DNS and email validation for public certificates; private CA for internal trust chains.
  • Use Cases: Secure web applications, enable HTTPS for APIs, manage internal certificates, ensure compliance with encryption standards.
  • Key Updates (2024–2025):
    • Enhanced Private CA Integration: Simplified private certificate issuance (October 2024).
    • Improved DNS Validation: Faster Route 53 integration for public certificates (March 2024).
    • FIPS 140-2 Compliance: Enhanced for GovCloud (October 2024).
    • Security Hub Integration: Detect misconfigured certificates (January 2025).

1. ACM Core Concepts

Components

  • Public Certificate:
    • Free SSL/TLS certificate issued by ACM for public domains.
    • Managed by ACM (cannot export private key).
    • Explanation: E.g., certificate for www.example.com on CloudFront.
  • Private Certificate:
    • Issued by ACM Private CA for internal resources (e.g., intranet servers).
    • Exportable private key for non-AWS use.
    • Explanation: E.g., certificate for internal API server.
  • ACM Private Certificate Authority (CA):
    • Managed private CA for issuing and managing private certificates.
    • Supports root and subordinate CAs.
    • Explanation: E.g., root CA for issuing employee VPN certificates.
  • Certificate Validation:
    • DNS Validation: Preferred, uses CNAME record (automated with Route 53).
    • Email Validation: Sends approval email to domain contacts.
    • Explanation: E.g., add CNAME in Route 53 for example.com validation.
  • Certificate Renewal:
    • ACM automatically renews public and private certificates before expiry.
    • Requires DNS/email validation to remain active.
    • Explanation: E.g., auto-renew certificate 60 days before expiry.

Key Concepts

  • Domain Coverage:
    • Supports single-domain, wildcard (*.example.com), and multi-domain (SAN) certificates.
    • Explanation: E.g., wildcard certificate for *.example.com and example.com.
  • Certificate Deployment:
    • Automatically deployed to integrated AWS services (e.g., ALB, CloudFront).
    • Manual deployment for private certificates outside AWS.
    • Explanation: E.g., attach certificate to ALB listener.
  • Certificate Import:
    • Import third-party certificates into ACM for AWS service use.
    • Requires certificate, private key, and chain.
    • Explanation: E.g., import DigiCert certificate for API Gateway.
  • Tagging:
    • Apply tags to certificates for organization and cost tracking.
    • Explanation: E.g., tag certificate with “Project:WebApp”.
  • Revocation:
    • Private CA supports certificate revocation via CRL (Certificate Revocation List).
    • Public certificates cannot be revoked (rely on CA).
    • Explanation: E.g., revoke compromised private certificate.

Key Notes:

  • Exam Relevance: Understand public vs. private certificates, validation, renewal, and integrations.
  • Mastery Tip: Compare ACM vs. IAM certificates vs. third-party certificates for SSL/TLS.

2. ACM Performance Features

ACM optimizes certificate management and HTTPS performance.

Low Latency

  • Purpose: Minimize SSL/TLS handshake delays.
  • Features:
    • Certificates deployed at CloudFront edge locations for global HTTPS.
    • Optimized TLS protocols (e.g., TLS 1.2, 1.3).
  • Explanation: E.g., CloudFront serves HTTPS content in <20 ms.
  • Exam Tip: Use ACM with CloudFront for low-latency HTTPS.

High Throughput

  • Purpose: Handle high HTTPS request volumes.
  • Features:
    • Scales to millions of HTTPS requests/second via CloudFront, ALB.
    • Automatic certificate deployment reduces overhead.
  • Explanation: E.g., ALB handles 100,000 HTTPS requests/second.
  • Exam Tip: Highlight ACM for high-traffic apps.

Scalability

  • Purpose: Support growing workloads.
  • Features:
    • No limit on public certificates (subject to quotas).
    • Private CA scales to thousands of certificates.
    • Multi-account management via AWS Organizations.
  • Explanation: E.g., manage 1,000 private certificates for enterprise.
  • Exam Tip: Use ACM for scalable HTTPS deployments.

Key Notes:

  • Performance: Edge deployment + high throughput + scalability = efficient HTTPS.
  • Exam Tip: Emphasize ACM for scalable, low-latency SSL/TLS.

3. ACM Resilience Features

Resilience ensures reliable certificate management.

Multi-AZ Redundancy

  • Purpose: Survive AZ failures.
  • Features:
    • Certificates stored in Regional, multi-AZ infrastructure.
    • CloudFront edge deployment for global availability.
  • Explanation: E.g., certificate remains accessible if us-east-1a fails.
  • Exam Tip: Highlight multi-AZ for HA.

Automatic Renewal:

  • Purpose: Prevent certificate expiry.
  • Features:
    • ACM auto-renews public/private certificates 60 days before expiry.
    • Requires active DNS/email validation.
  • Explanation: E.g., renew www.example.com certificate seamlessly.
  • Exam Tip: Use DNS validation with Route 53 for reliable renewal.

Monitoring and Recovery:

  • Purpose: Detect and respond to issues.
  • Features:
    • CloudWatch metrics for certificate usage (e.g., HTTPS requests).
    • Security Hub integration for misconfiguration findings (new 2025).
    • CloudTrail logs API calls (e.g., RequestCertificate, RenewCertificate).
    • Explanation: E.g., alarm on failed renewal attempts.
  • Exam Tip: Use CloudTrail and Security Hub for resilience.

Cross-Region Support:

  • Purpose: Support multi-Region apps.
  • Features:
    • Certificates are Regional; use same certificate for global CloudFront.
    • Private CA supports cross-Region CRL distribution.
  • Explanation: E.g., use us-east-1 certificate for CloudFront globally.
  • Exam Tip: Know CloudFront for multi-Region resilience.

Key Notes:

  • Resilience: Multi-AZ + auto-renewal + monitoring = reliable HTTPS.
  • Exam Tip: Design resilient HTTPS with ACM and Route 53.

4. ACM Security Features

Security is the core focus of ACM for SAA-C03.

Access Control

  • IAM Policies:
    • Control access to ACM APIs (e.g., acm:RequestCertificate, acm:DeleteCertificate).
    • Example: {"Effect": "Allow", "Action": "acm:RequestCertificate", "Resource": "*"}.
  • Private CA Permissions:
    • Separate permissions for issuing/revoking private certificates (acm-pca:IssueCertificate).
    • Explanation: E.g., restrict private CA to security team.
  • Exam Tip: Practice IAM policies for ACM and Private CA.

Encryption

  • In Transit:
    • HTTPS for certificate deployment and API calls.
    • Supports modern TLS protocols (1.2, 1.3).
    • Explanation: E.g., secure ALB HTTPS traffic.
  • At Rest:
    • Certificates and private keys encrypted with KMS.
    • Private CA data encrypted with KMS.
    • Explanation: E.g., KMS encrypts private CA root key.
  • Exam Tip: Highlight KMS for compliance.

Certificate Validation:

  • Purpose: Verify domain ownership.
  • Features:
    • DNS validation (preferred, automated with Route 53).
    • Email validation (manual, slower).
  • Explanation: E.g., Route 53 CNAME validates example.com in minutes.
  • Exam Tip: Use DNS validation for automation.

Private CA:

  • Purpose: Secure internal resources.
  • Features:
    • Issues private certificates for non-public domains (e.g., server.internal).
    • Supports CRL for revocation.
    • Enhanced issuance workflows (new 2024).
  • Explanation: E.g., issue certificate for internal load balancer.
  • Exam Tip: Know Private CA for enterprise security.

Auditing:

  • Purpose: Track certificate actions.
  • Features:
    • CloudTrail logs all ACM and Private CA API calls.
    • Security Hub detects misconfigured certificates (e.g., expired, weak protocols) (new 2025).
  • Explanation: E.g., audit RequestCertificate for compliance.
  • Exam Tip: Use CloudTrail for auditing.

Compliance

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 (GovCloud).
  • Explanation: E.g., use ACM for PCI-compliant HTTPS website.

Key Notes:

  • Security: KMS + validation + Private CA + auditing = robust HTTPS.
  • Exam Tip: Configure DNS validation, Private CA, and IAM for security.

5. ACM Cost Optimization

Cost efficiency is a key exam domain.

Pricing

  • Public Certificates:
    • Free for ACM-managed certificates used with AWS services.
    • Example: 10 public certificates for ALB = $0/month.
  • Private CA:
    • $400/month per CA (prorated, minimum 1 month).
    • $0.75/private certificate issued.
    • Example: 1 CA, 100 certificates = $400 + (100 × $0.75) = $475/month.
  • Imported Certificates:
    • Free, but manual renewal increases operational cost.
    • Example: Import 5 third-party certificates = $0/month.
  • KMS:
    • $1.00/CMK/month, $0.03/10,000 requests (AWS-managed key free).
    • Example: 1 CMK for Private CA = $1/month.
  • Total Example:
    • 10 public certificates, 1 Private CA, 100 private certificates, 1 CMK:
      • Public: $0.
      • Private CA: $400.
      • Private Certificates: 100 × $0.75 = $75.
      • KMS: $1.
      • Total: $476/month.

Cost Strategies

  • Use Public Certificates:
    • Free for AWS-integrated services; avoid third-party certificates.
    • Explanation: E.g., use ACM public certificate to save $100/year vs. third-party.
  • Limit Private CAs:
    • Use one CA for multiple certificates; disable unused CAs.
    • Explanation: E.g., consolidate to 1 CA to save $400/month.
  • Optimize Private Certificates:
    • Issue certificates only for necessary resources.
    • Explanation: E.g., issue 50 vs. 100 certificates to save $37.50/month.
  • Use AWS-Managed KMS Key:
    • Free for ACM encryption.
    • Explanation: E.g., avoid CMK to save $1/month.
  • Automate Validation:
    • Use Route 53 DNS validation to reduce manual email costs.
    • Explanation: E.g., automate validation to save admin time.
  • Tagging:
    • Use cost allocation tags to track certificate costs.
    • Explanation: E.g., tag certificate with “Project:Security”.
  • Monitor Usage:
    • Use CloudTrail to optimize certificate creation/deletion.
    • Explanation: E.g., delete unused private certificate to save $0.75/month.

Key Notes:

  • Cost Savings: Public certificates + single CA + AWS-managed KMS = lower costs.
  • Exam Tip: Calculate costs for Private CA and certificates.

6. ACM Advanced Features

Enhanced Private CA Integration:

  • Purpose: Simplify private certificate management.
  • Features:
    • Streamlined issuance and revocation workflows (new 2024).
    • Supports complex trust chains (root + subordinate CAs).
  • Explanation: E.g., issue certificate for internal VPN server.
  • Exam Tip: Know Private CA for internal HTTPS.

Improved DNS Validation:

  • Purpose: Faster certificate issuance.
  • Features:
    • Seamless Route 53 integration for automated CNAME creation (new 2024).
    • Supports multi-domain validation.
  • Explanation: E.g., validate *.example.com in minutes.
  • Exam Tip: Use Route 53 for DNS validation.

Security Hub Integration:

  • Purpose: Centralized security monitoring.
  • Features:
    • Detects misconfigured certificates (e.g., expired, weak TLS) (new 2025).
    • Aggregates findings with GuardDuty, Inspector.
  • Explanation: E.g., flag certificate using TLS 1.0.
  • Exam Tip: Use Security Hub for compliance.

Multi-Domain Certificates:

  • Purpose: Secure multiple domains.
  • Features:
    • Supports up to 100 domains in a single certificate (SAN).
    • Explanation: E.g., one certificate for example.com, api.example.com.
  • Exam Tip: Know SAN for complex apps.

CloudFormation Support:

  • Purpose: Automate certificate management.
  • Features:
    • Provision certificates and Private CAs via CloudFormation.
    • Explanation: E.g., deploy ALB with ACM certificate in stack.
  • Exam Tip: Use CloudFormation for IaC.

Key Notes:

  • Flexibility: Private CA + DNS validation + Security Hub = advanced HTTPS.
  • Exam Tip: Know Private CA, DNS validation, and CloudFormation.

7. ACM Use Cases

Understand practical applications.

Web Application Security

  • Setup: Public certificate for CloudFront or ALB.
  • Features: Free, auto-renewed HTTPS.
  • Explanation: E.g., secure www.example.com with HTTPS.

API Security

  • Setup: Public certificate for API Gateway.
  • Features: Seamless HTTPS for APIs.
  • Explanation: E.g., enable HTTPS for REST API.

Internal Resource Security

  • Setup: Private certificate from Private CA for internal server.
  • Features: Custom trust chain, exportable.
  • Explanation: E.g., secure internal load balancer.

Compliance Requirements

  • Setup: Public/private certificates with KMS and CloudTrail.
  • Features: HIPAA/PCI compliance, auditing.
  • Explanation: E.g., PCI-compliant HTTPS website.

8. ACM vs. Other Certificate Solutions

Feature ACM IAM Certificates Third-Party Certificates
Type Managed SSL/TLS Legacy SSL for CloudFront External CA (e.g., DigiCert)
Workload AWS services, internal CloudFront only Any resource
Cost Free (public), $400/CA Free $100–$1,000/year
Renewal Automatic Manual Manual
Use Case ALB, CloudFront HTTPS Legacy CloudFront Non-AWS resources

Explanation:

  • ACM: Managed public/private certificates for AWS services.
  • IAM Certificates: Deprecated, used for legacy CloudFront.
  • Third-Party: Flexible but manual and costly.

9. Detailed Explanations for Mastery

  • Enhanced Private CA:
    • Example: Issue private certificate for internal API server.
    • Why It Matters: Simplifies enterprise HTTPS—new for 2024.
  • Improved DNS Validation:
    • Example: Auto-validate example.com with Route 53 CNAME.
    • Why It Matters: Speeds up issuance—new for 2024.
  • Security Hub Integration:
    • Example: Flag expired certificate on ALB.
    • Why It Matters: Centralized compliance—new for 2025.

10. Quick Reference Table

Feature Purpose Key Detail Exam Relevance
Public Certificate Secure AWS services Free, auto-renewed, non-exportable Core Concept
Private Certificate Secure internal resources Issued by Private CA, exportable Core Concept
Private CA Issue private certificates $400/month, enhanced (2024) Core Concept
DNS Validation Verify domain ownership Automated with Route 53 (2024) Security, Performance
Auto-Renewal Prevent expiry 60 days before expiry Resilience
Security Hub Misconfiguration detection Centralized findings (2025) Security, Resilience
CloudFormation Automate provisioning Deploy certificates in IaC Flexibility