AWS Certificate Manager (ACM)

AWS Certificate Manager (ACM) – Complete Guide for AWS Security Specialty

Why is AWS Certificate Manager (ACM) Important?

In today's security-conscious environment, encrypting data in transit is a fundamental requirement for virtually every application. SSL/TLS certificates enable HTTPS connections, secure API communications, and protect sensitive data as it moves between clients and servers. Managing these certificates manually is time-consuming, error-prone, and can lead to costly outages when certificates expire unexpectedly. AWS Certificate Manager (ACM) eliminates these operational burdens by providing a managed service to provision, manage, and deploy SSL/TLS certificates for use with AWS services. For the AWS Security Specialty exam, ACM is a critical topic because it sits at the intersection of infrastructure security, data protection, and identity management.

What is AWS Certificate Manager (ACM)?

AWS Certificate Manager (ACM) is a fully managed service that lets you provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. ACM removes the complex and error-prone manual process of purchasing, uploading, and renewing SSL/TLS certificates.

Key characteristics of ACM include:

- Public Certificates: ACM can issue public SSL/TLS certificates at no additional cost. These certificates are trusted by all major browsers and operating systems. They can only be used with integrated AWS services such as Elastic Load Balancing (ELB), Amazon CloudFront, Amazon API Gateway, and AWS Elastic Beanstalk.

- Private Certificates: Through integration with AWS Private Certificate Authority (AWS Private CA), ACM can issue private certificates for internal resources, IoT devices, and microservices communication. Private CA has its own pricing model.

- Imported Certificates: You can import third-party certificates into ACM for use with supported AWS services. ACM does not manage renewal of imported certificates — you must handle renewal yourself. However, ACM does monitor imported certificates and sends expiration notifications via Amazon CloudWatch and AWS Health events.

How Does ACM Work?

1. Certificate Provisioning
When you request a public certificate through ACM, you specify one or more domain names (e.g., example.com, *.example.com for wildcard certificates). ACM then requires you to validate that you own or control the domain(s) before issuing the certificate. There are two validation methods:

- DNS Validation (Recommended): ACM provides a CNAME record that you must add to your DNS configuration. If you use Amazon Route 53, ACM can add the record automatically. This method supports automatic renewal because the CNAME record remains in place.

- Email Validation: ACM sends validation emails to registered domain contacts and common administrative addresses (admin@, postmaster@, etc.). This method requires manual action for each renewal cycle and is therefore less recommended for production environments.

2. Certificate Deployment
Once validated and issued, certificates are deployed by associating them with supported AWS services:

- Elastic Load Balancing (ALB, NLB, CLB): Terminate SSL/TLS at the load balancer level.
- Amazon CloudFront: Enable HTTPS on your CDN distributions. Important: Certificates used with CloudFront must be provisioned in the us-east-1 (N. Virginia) region.
- Amazon API Gateway: Secure custom domain names for your APIs.
- AWS Elastic Beanstalk: Secure your application endpoints.
- AWS App Runner, AWS Amplify, and other integrated services.

3. Automatic Renewal
ACM-issued public certificates are valid for 13 months (395 days). ACM automatically attempts to renew certificates before they expire:

- For DNS-validated certificates, renewal is fully automatic as long as the CNAME record exists and the certificate is associated with an active AWS resource.
- For email-validated certificates, the domain owner must respond to a renewal email.
- For imported certificates, ACM does not renew them. You must import a new certificate before expiration. ACM sends notifications starting 45 days before expiration via AWS Health Dashboard, Amazon EventBridge, and optionally through an SNS topic.

4. Certificate Security
- ACM certificates' private keys are managed and protected by AWS. You cannot export the private key of an ACM-issued public certificate.
- Private certificates issued through AWS Private CA can be exported along with their private keys (encrypted with a passphrase) for use on EC2 instances, on-premises servers, or IoT devices.
- ACM integrates with AWS CloudTrail for auditing all API calls related to certificate management.
- ACM uses AWS KMS to protect private keys at rest.

5. Regional Considerations
ACM certificates are regional resources. If you use a certificate with an ALB in us-west-2, you must provision the certificate in us-west-2. The one notable exception is CloudFront, which requires certificates in us-east-1. If you need the same certificate across multiple regions, you must request or import it in each region separately.

Key Integrations and Architecture Patterns

- ACM + ALB + Route 53: A common pattern for securing web applications. Route 53 resolves the domain to the ALB, which terminates TLS using an ACM certificate. DNS validation with Route 53 enables fully automated provisioning and renewal.

- ACM + CloudFront + S3: Secure static website hosting. CloudFront uses an ACM certificate (from us-east-1) for HTTPS, with S3 as the origin.

- ACM + API Gateway: Secure custom domains for REST and HTTP APIs. ACM certificates are attached to API Gateway custom domain configurations.

- ACM Private CA + Internal Services: Issue private certificates for mutual TLS (mTLS), service mesh communication, or internal microservices. Private CA supports complex certificate hierarchies with root and subordinate CAs.

- ACM + AWS Config: Use the AWS Config rule acm-certificate-expiration-check to monitor certificates approaching expiration and trigger automated remediation.

- ACM + EventBridge + SNS/Lambda: Create event-driven workflows that alert teams or automatically take action when certificate renewal fails or certificates approach expiration.

ACM vs. AWS Private CA

It is important to distinguish between ACM and AWS Private CA:

- ACM is the service that provisions, manages, and deploys certificates. Public certificates are free.
- AWS Private CA is a managed private certificate authority service. It creates and manages private CA hierarchies and issues private certificates. It has a monthly cost per CA and a per-certificate cost.
- ACM can act as a front end for AWS Private CA, allowing you to request private certificates through the ACM console or API.

Limitations to Remember

- ACM public certificates cannot be installed directly on EC2 instances. You cannot download the private key. Use a load balancer, CloudFront, or API Gateway in front of EC2, or use a third-party/self-signed certificate directly on EC2.
- ACM does not support certificates for bare IP addresses — only domain names.
- Wildcard certificates (*.example.com) cover one subdomain level only (e.g., app.example.com but NOT sub.app.example.com).
- There are default limits on the number of ACM certificates per account per region (adjustable via service quotas).
- ACM public certificates use RSA 2048-bit or ECDSA P-256 keys. You can choose the key algorithm at request time.

Exam Tips: Answering Questions on AWS Certificate Manager (ACM)

1. CloudFront Region Rule: If a question involves CloudFront and SSL/TLS, the certificate must be in us-east-1. This is one of the most frequently tested ACM facts.

2. DNS Validation vs. Email Validation: When asked about the best practice or most operationally efficient approach, always prefer DNS validation. It enables automatic renewal and requires no manual intervention. If Route 53 is mentioned, it makes DNS validation even easier.

3. Cannot Install on EC2 Directly: If a question asks how to use an ACM certificate on an EC2 instance, the answer is typically to place an ALB or NLB in front of EC2 and attach the ACM certificate to the load balancer. If the question specifically requires installing a certificate directly on EC2, ACM public certificates are not the answer — use imported certificates, self-signed certificates, or private certificates exported from AWS Private CA.

4. Imported Certificate Renewal: ACM does not auto-renew imported certificates. If a scenario describes an expiring imported certificate, the solution involves reimporting a renewed certificate or migrating to an ACM-issued certificate for automatic renewal.

5. Private vs. Public Certificates: If a question involves internal communication between services (mTLS, service mesh, internal APIs), think AWS Private CA + ACM private certificates. If it involves public-facing websites or APIs, think ACM public certificates.

6. Monitoring and Compliance: For questions about monitoring certificate expiration, the answers typically involve AWS Config rules (acm-certificate-expiration-check), Amazon EventBridge rules, AWS Health events, or CloudWatch alarms. For auditing certificate management actions, the answer is AWS CloudTrail.

7. Certificate Transparency Logging: ACM public certificates are logged to public Certificate Transparency (CT) logs by default. You can opt out of CT logging when requesting a certificate, but this is rare and generally not recommended. Be aware this exists in case exam questions reference CT.

8. Encryption in Transit Scenarios: When the exam asks about encrypting data in transit for web applications, APIs, or microservices, ACM is almost always a component of the correct answer, combined with services like ALB, CloudFront, or API Gateway.

9. Renewal Failures: If a question describes a failed automatic renewal, look for clues: Was the DNS CNAME record removed? Was the certificate not associated with any active AWS resource? Is it an email-validated certificate where no one responded? These are common causes tested in exam scenarios.

10. Cost Awareness: Public ACM certificates are free. AWS Private CA has significant costs ($400/month per CA by default, with a short-lived certificate mode option). If the question mentions cost optimization, using ACM public certificates with ALB/CloudFront is the most cost-effective approach for public-facing applications.

11. Key Algorithm Selection: ACM now supports both RSA and ECDSA key algorithms. ECDSA offers better performance with smaller key sizes. If a question mentions performance optimization for TLS, ECDSA P-256 certificates may be the preferred choice.

12. Cross-Account and Cross-Region: ACM certificates cannot be shared across regions. For cross-account usage, you can share private CA access via AWS RAM (Resource Access Manager) to allow other accounts to issue private certificates from a centralized CA. This is a common enterprise architecture question.

Summary: ACM simplifies certificate lifecycle management and is tightly integrated into the AWS ecosystem. For the exam, focus on knowing which services integrate with ACM, the regional requirement for CloudFront, the differences between DNS and email validation, the inability to use ACM public certificates directly on EC2, and the distinction between ACM public certificates and AWS Private CA private certificates. Understanding these core concepts will help you confidently answer the majority of ACM-related exam questions.