AWS Security ChangesHomeSearch

AWS acm medium security documentation change

Service: acm · 2025-05-01 · Security-related medium

File: acm/latest/userguide/acm-bestpractices.md

Summary

Added important note about CloudFront wildcard certificate validation requirements, specifying HTTP validation isn't supported and recommending DNS validation

Security assessment

The change addresses secure certificate validation practices by warning against insecure/misconfigured validation methods (HTTP) for CloudFront wildcard certificates. It enforces proper domain validation (DNS/email) which is critical for certificate trust and prevents potential misissuance risks. While not fixing an active exploit, it mitigates configuration-related security risks.

Diff

diff --git a/acm/latest/userguide/acm-bestpractices.md b/acm/latest/userguide/acm-bestpractices.md
index 847b9c996..65013ac75 100644
--- a//acm/latest/userguide/acm-bestpractices.md
+++ b//acm/latest/userguide/acm-bestpractices.md
@@ -58 +58,7 @@ With AWS CloudFormation you can create a template that describes the AWS resourc
-If you use AWS CloudFormation to quickly create and delete multiple test environments, we recommend that you do not create a separate ACM certificate for each environment. Doing so will quickly exhaust your certificate quota. For more information, see [Quotas](./acm-limits.html). Instead, create a wildcard certificate that covers all of the domain names that you are using for testing. For example, if you repeatedly create ACM certificates for domain names that vary by only a version number, such as `<version>``.service.example.com`, create instead a single wildcard certificate for `<*>``.service.example.com`. Include the wildcard certificate in the template that AWS CloudFormation uses to create your test environment. 
+If you use AWS CloudFormation to quickly create and delete multiple test environments, we recommend that you do not create a separate ACM certificate for each environment. Doing so will quickly exhaust your certificate quota. For more information, see [Quotas](./acm-limits.html). Instead, create a wildcard certificate that covers all of the domain names that you are using for testing. For example, if you repeatedly create ACM certificates for domain names that vary by only a version number, such as `<version>``.service.example.com`, create instead a single wildcard certificate for `<*>``.service.example.com`.
+
+###### Important
+
+If you're using Amazon CloudFront distributions, note that HTTP validation doesn't support wildcard certificates. When including wildcard certificates in your AWS CloudFormation templates for use with Amazon CloudFront, you must use either DNS validation or email validation. We recommend DNS validation for automated renewal capabilities.
+
+Include the wildcard certificate in the template that AWS CloudFormation uses to create your test environment.