AWSGlossary

AWS Certificate Manager (ACM): What It Is and When to Use It

Definition

AWS Certificate Manager (ACM) is a managed service that simplifies the provisioning, management, and deployment of public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. It automates the time-consuming manual processes of purchasing, validating, and renewing certificates, making it easier to secure network communications for your AWS-based websites and applications.

How It Works

ACM integrates with various AWS services to provide seamless SSL/TLS encryption. The process involves requesting a certificate, validating domain ownership, and then deploying the certificate to supported services.

1. Certificate Request: You begin by requesting a certificate in the ACM console or via the AWS Command Line Interface (CLI). You can request a certificate for a single domain (e.g., example.com), multiple specific domains (Subject Alternative Names, or SANs), or wildcard domains (e.g., *.example.com).

2. Domain Validation: Before a publicly trusted certificate can be issued, ACM must verify that you own or control the domains in your request. ACM supports three validation methods:

  • DNS Validation: This is the recommended method. You add a CNAME record provided by ACM to your domain's DNS configuration. A major advantage is that once the CNAME record is in place, ACM can automatically renew the certificate indefinitely without further action, as long as the certificate is in use.
  • Email Validation: ACM sends validation emails to the registered domain owner and to common administrative email addresses (e.g., admin@, hostmaster@). You must click a link in one of these emails to approve the certificate request. This method requires manual intervention for each renewal.
  • HTTP Validation: This method is available for certificates used with Amazon CloudFront. It uses HTTP redirects to prove domain ownership and also supports automatic renewals.

3. Certificate Issuance and Deployment: After successful validation, the certificate is issued. It can then be associated with ACM-integrated AWS services. The private keys for standard public certificates are securely managed by AWS and cannot be exported, which enhances security by keeping keys away from users. The certificate and its private key are deployed to services like:

4. Managed Renewals: For public certificates issued by ACM, the service automatically manages the renewal process before they expire. For DNS- and HTTP-validated certificates, this process is fully automated. For email-validated certificates, the domain owner must re-validate ownership via email for each renewal cycle.

Key Features and Limits

  • Public Certificates: Free of charge when used with ACM-integrated services.
  • Private Certificates: Through integration with AWS Private Certificate Authority (Private CA), you can issue private certificates for internal resources like servers, containers, and IoT devices.
  • Import Certificates: You can import third-party SSL/TLS certificates into ACM to manage them centrally. However, ACM does not automatically renew imported certificates.
  • Exportable Public Certificates: ACM allows you to request public certificates that can be exported, along with their private keys, for use on any server, including Amazon EC2 instances or on-premises hardware. This is a paid feature.
  • Wildcard Support: ACM supports wildcard certificates (e.g., *.example.com), which can secure an unlimited number of subdomains at a specific level.
  • Automatic Renewals: Managed, automated renewal of Amazon-issued certificates helps prevent downtime due to certificate expiration.
  • Certificate Validity: As of early 2026, in compliance with CA/Browser Forum guidelines, new public certificates issued by ACM have a maximum validity of 198 days.
  • Service Quotas (Limits): By default, you can request up to 2,500 certificates per AWS account. Each certificate can include up to 10 domain names by default, which can be increased to 100.
  • Regional Service: ACM certificates are regional resources. To use a certificate with a load balancer in multiple regions, you must request a separate certificate in each region. The major exception is for Amazon CloudFront, which requires the certificate to be created in the US East (N. Virginia) region.

Common Use Cases

  • Securing Web Traffic with a Load Balancer: Terminate HTTPS traffic at an Application Load Balancer (ALB) or Network Load Balancer (NLB) to secure communication between clients and your application servers running on EC2 or containers.
  • Enabling HTTPS for a CDN: Associate an ACM certificate with an Amazon CloudFront distribution to serve content securely over HTTPS with low latency to a global audience.
  • Securing Custom Domains for API Gateway: Use an ACM certificate to secure a custom domain name for your RESTful APIs managed by Amazon API Gateway, providing a branded and trusted endpoint for your users.
  • Encrypting Traffic for Elastic Beanstalk Applications: Easily configure SSL/TLS for web applications deployed with AWS Elastic Beanstalk by attaching an ACM certificate to the environment's load balancer.
  • Issuing Private Certificates for Internal Services: Use ACM Private CA to create and manage a private Public Key Infrastructure (PKI) for authenticating internal microservices, IoT devices, or users within a corporate network.

Pricing Model

  • Public Certificates (Non-Exportable): Public SSL/TLS certificates that you provision through ACM for use with integrated services like ELB, CloudFront, and API Gateway are free. You only pay for the AWS resources you use to run your application.
  • Public Certificates (Exportable): If you issue a public certificate and enable it for export, you incur a charge upon issuance and again upon renewal. As of early 2026, pricing is $7 per standard FQDN and $79 per wildcard name.
  • AWS Private Certificate Authority (Private CA): This is a paid service. Pricing includes a monthly fee for the operation of each private CA and a tiered, per-certificate fee for each private certificate you issue. For example, a general-purpose private CA costs $400 per month.

Pros and Cons

Pros:

  • Cost-Effective: Free public certificates for use with integrated AWS services is a significant advantage.
  • Simplified Management: Automates the entire lifecycle of certificate management, including provisioning, validation, and renewal, reducing operational overhead.
  • Enhanced Security: Private keys are managed by AWS in a secure manner and cannot be exported for standard certificates, adhering to the principle of least privilege.
  • Seamless Integration: Deep integration with key AWS services like ELB, CloudFront, and API Gateway makes deployment incredibly simple.

Cons:

  • No Private Key Export (for free certs): The inability to export the private key for free public certificates means they can only be used with supported AWS services, creating a form of vendor lock-in.
  • Regional Scoping: Certificates are bound to the AWS region in which they are created (except for CloudFront use), which can add management complexity for multi-region architectures.
  • Limited to Integrated Services: The primary benefits of automation and ease of use apply only to the specific list of integrated AWS services. Using certificates on EC2 instances directly requires using the paid exportable certificate feature.

Comparison with Alternatives

ACM vs. Let's Encrypt:

  • Integration: ACM's main advantage is its native, one-click integration with AWS services. Let's Encrypt requires more complex, often manual or script-based, setup to integrate with services like ELB or CloudFront.
  • Renewal: ACM's renewal process is fully managed and automated by AWS. Let's Encrypt also supports automated renewals, but you are responsible for setting up and maintaining the automation (e.g., using certbot on a server).
  • Validity Period: Let's Encrypt certificates have a 90-day validity period, while ACM's are currently 198 days.
  • Use Case: For resources fully within the AWS ecosystem (like ALBs and CloudFront), ACM is almost always the simpler choice. For individual servers (EC2 or on-premises) or non-AWS resources, Let's Encrypt is a very popular and powerful free alternative.

ACM vs. Traditional Certificate Authorities (e.g., DigiCert, Sectigo):

  • Process: Traditional CAs involve a manual process of generating a Certificate Signing Request (CSR), purchasing a certificate, and manually installing it. ACM automates this entire workflow.
  • Cost: Public certificates from ACM are free for integrated services, whereas traditional CAs charge a fee per certificate.
  • Validation Types: Traditional CAs may offer more advanced validation types like Extended Validation (EV) certificates, which provide a higher level of identity assurance and are not available through ACM.

Exam Relevance

AWS Certificate Manager is a key topic on several AWS certification exams, particularly those focused on architecture, security, and networking.

  • AWS Certified Solutions Architect - Associate (SAA-C03): Expect questions about using ACM to secure Application Load Balancers and CloudFront distributions. The "CloudFront Rule"—that the certificate must be in the us-east-1 region—is a critical and frequently tested concept.
  • AWS Certified Security - Specialty (SCS-C02): Questions will delve deeper into the security aspects, including the benefits of managed renewals, the role of ACM Private CA in a PKI, and IAM policies for controlling access to certificates.
  • AWS Certified Advanced Networking - Specialty (ANS-C01): Focus will be on TLS termination scenarios, integration with ELB and CloudFront, and securing multi-region applications.

Examinees should know the difference between public, private, and imported certificates; the validation methods (especially DNS vs. Email); and which services integrate with ACM.

Frequently Asked Questions

Q: Can I use an ACM certificate on my EC2 instance?

A: You cannot directly install a standard, free public ACM certificate on an EC2 instance because you cannot export its private key. To do this, you must request a paid "exportable" public certificate, which allows you to download the certificate, private key, and chain for manual installation on any server.

Q: Why do I have to request my CloudFront certificate in the US East (N. Virginia) region?

A: Amazon CloudFront is a global service, with edge locations distributed worldwide. To ensure the certificate can be deployed globally alongside your distribution, CloudFront requires a single, central point for certificate management, which AWS has designated as the us-east-1 region.

Q: What is the difference between AWS Certificate Manager (ACM) and AWS Private Certificate Authority (Private CA)?

A: ACM is the service that manages the lifecycle of both public and private certificates. AWS Private CA is a component service that allows you to create your own private certificate authority. You use ACM to request public certificates from Amazon's CA or to request private certificates from a Private CA that you have created. Essentially, Private CA is the engine for creating private certificates, and ACM is the dashboard for managing them.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/25/2026 / Updated: 5/25/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

Multi-Factor Authentication (MFA): Secure Your AWS Account

Multi-Factor Authentication (MFA) adds a vital security layer to AWS IAM, requiring a second factor beyond passwords. Reduce unauthorized access risk. Learn how it works.

AWS IAM Identity Center (SSO): How It Works & Benefits

AWS IAM Identity Center (SSO) simplifies user access to AWS accounts & apps. Centralize workforce identities for unified access. Learn its benefits.

View all Security terms →