AWS Certificate Manager (ACM)

1. What is ACM?

ACM provisions, manages, and deploys SSL/TLS certificates for AWS services. Public certificates are FREE with automatic renewal.

Core Concept

Request a certificate, validate domain ownership (DNS recommended), deploy to ALB/CloudFront/API GW. ACM handles auto-renewal. You never handle private key files.

2. Certificate Types

3. Validation Methods

1. DNS Validation (recommended): Add CNAME to DNS. Auto-renewal supported. Route 53 auto-adds.
2. Email Validation: Click approval link in email. Manual renewal. Less recommended.

4. ACM Integrations

Important Warning

ACM certificates CANNOT be used directly on EC2. ACM does not export the private key for public certs. For EC2: use third-party certificate or ACM Private CA with export.

5. Key Facts

1. Auto-renew if DNS-validated. Supports wildcard (*.example.com) and SAN.
2. Regional service. Cannot export public cert private key.
3. Private CA certs CAN be exported (for EC2, on-premises, IoT).

Exam Tip

ACM: "Free SSL" = ACM public. "CloudFront cert" = us-east-1. "Auto-renew" = DNS validation. "SSL on EC2" = NOT ACM. "Internal cert" = ACM Private CA ($400/mo). Wildcard supported.