AWS Security & Identity
ACM
Provision, manage, and deploy SSL/TLS certificates for AWS-integrated services
AWS Certificate Manager (ACM) provisions, manages, and auto-renews SSL/TLS certificates for use with AWS services like CloudFront, Application Load Balancers, and API Gateway. ACM eliminates the operational burden of manual certificate renewals, which are a common source of outages. Public certificates from ACM are free of charge.
Public vs Private Certificates
| ACM Public Certificate | ACM Private Certificate (PCA) | |
|---|---|---|
| Cost | Free | $400/month per Private CA + $0.75 per certificate |
| Trust | Trusted by browsers/OS globally | Only trusted by your internal clients |
| Use cases | Public-facing HTTPS (ALB, CloudFront, API GW) | Internal services, mTLS, IoT devices, VPN |
| Domain validation | Required (DNS or email) | None required |
| Key algorithm | RSA 2048/4096, ECDSA P-256/P-384 | Configurable, supports custom root CA |
| Export | Cannot export private key | Can export for use on non-AWS services |
ACM public certificates can only be used with integrated AWS services - you cannot export the private key or install them on EC2 instances directly. For EC2 or on-premises servers, use ACM Private CA or manage certificates externally (Let's Encrypt).
Domain Validation: DNS vs Email
ACM requires proof of domain ownership before issuing a public certificate. DNS validation is strongly preferred over email validation.
| Method | How it works | Pros | Cons |
|---|---|---|---|
| DNS validation | Add a CNAME record ACM provides to your DNS zone | Automatic renewal (AWS validates CNAME is still present), works with Route 53 one-click | Requires DNS access, not possible for domains you don't control DNS for |
| Email validation | AWS sends email to admin@domain, postmaster@domain, etc. | No DNS access needed | Manual approval required, no auto-renewal, email delivery issues common |
# Request a certificate with DNS validation
aws acm request-certificate \
--domain-name "example.com" \
--subject-alternative-names "*.example.com" "www.example.com" \
--validation-method DNS \
--region us-east-1
# After requesting, get the CNAME records to add to DNS
aws acm describe-certificate \
--certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxx \
--query 'Certificate.DomainValidationOptions'
# For CloudFront, certificates MUST be in us-east-1 regardless of your app's regionCloudFront requires ACM certificates to be in the us-east-1 (N. Virginia) region. This is a hard requirement and a very common source of confusion. ALBs require the certificate to be in the same region as the load balancer.
Automatic Renewal and Expiry Prevention
ACM automatically renews certificates validated via DNS before they expire. It begins the renewal process 60 days before expiry and will renew as long as the DNS validation CNAME record remains in place.
| Condition | Renewal behavior |
|---|---|
| DNS validated, CNAME present | Fully automatic, no action needed |
| DNS validated, CNAME removed | Renewal fails, cert expires |
| Email validated | Email sent 45, 30, 7 days before expiry; manual approval required |
| Certificate not in use (no resource attached) | ACM may not attempt renewal; best practice is to keep certs attached |
Set up an EventBridge rule to trigger a notification 45 days before certificate expiry for certificates not managed by ACM auto-renewal (e.g., imported certificates). ACM emits a CertificateApproachingExpiry event you can route to SNS.
ACM Integration with AWS Services
| Service | How ACM integrates | Region requirement |
|---|---|---|
| CloudFront | Select ACM cert in distribution settings, serves HTTPS globally via edge | Must be in us-east-1 |
| Application Load Balancer | Attach cert to HTTPS listener, supports multiple certs via SNI | Same region as ALB |
| API Gateway | Attach to custom domain name | Same region as API Gateway |
| Elastic Beanstalk | Configure in environment via console or .ebextensions | Same region |
| CloudFormation | Use AWS::CertificateManager::Certificate resource | Specify region carefully |
# Attach an ACM certificate to an ALB HTTPS listener
aws elbv2 add-listener-certificates \
--listener-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/app/my-alb/xxx/yyy \
--certificates CertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/zzz
# ALB supports Server Name Indication (SNI) - attach multiple certs for multiple domains
# ALB automatically selects the right certificate based on the hostname in the TLS handshakeInterview Focus Points
- 1Why must ACM certificates for CloudFront be in us-east-1?
- 2What is the difference between DNS validation and email validation? Which do you recommend and why?
- 3How does ACM automatic renewal work? What can cause renewal to fail?
- 4Can you install an ACM public certificate directly on an EC2 instance? What are your alternatives?
- 5What is ACM Private CA and when would you use it over a public ACM certificate?
- 6How would you get alerted before an imported (non-ACM) certificate expires?
- 7How does SNI work with ALB to serve multiple certificates on a single listener?
- 8Walk me through the steps to provision a wildcard certificate for a new domain in ACM.