AWS Security ChangesHomeSearch

AWS acm medium security documentation change

Service: acm · 2025-05-01 · Security-related medium

File: acm/latest/userguide/email-validation.md

Summary

Updated WHOIS validation deprecation timeline and removed future dates

Security assessment

Removes reliance on WHOIS contact addresses for validation, which reduces attack surface by eliminating a potentially insecure validation method. Explicitly states security improvement through deprecation of WHOIS-based validation.

Diff

diff --git a/acm/latest/userguide/email-validation.md b/acm/latest/userguide/email-validation.md
index ff99572cd..054cd806f 100644
--- a//acm/latest/userguide/email-validation.md
+++ b//acm/latest/userguide/email-validation.md
@@ -40 +40 @@ If you request an ACM certificate for a domain name that begins with `www` or a
-Starting June 2024, ACM no longer supports new email validation through WHOIS contact addresses. For existing certificates, starting October 2024, ACM won't send renewal notices to the domain's WHOIS contact addresses. ACM will continue to send validation emails to the five common system addresses for the requested domain. For more details, see [AWS Certificate Manager will discontinue WHOIS lookup for email-validated certificates](https://aws.amazon.com/blogs/security/aws-certificate-manager-will-discontinue-whois-lookup-for-email-validated-certificates/)
+ACM no longer supports WHOIS email validation for new certificates or renewals. Common system addresses remain supported. For details, see [blog post](https://aws.amazon.com/blogs/security/aws-certificate-manager-will-discontinue-whois-lookup-for-email-validated-certificates/).
@@ -61 +61 @@ ACM certificates are valid for 13 months (395 days). Renewing a certificate requ
-Each validation email contains a token that you can use to approve a certificate request. However, because the validation email required for the approval process can be blocked by spam filters or lost in transit, the token automatically expires after 72 hours. If you do not receive the original email or the token has expired, you can request that the email be resent. For information about how to resend a validation email, see [Resend validation email](./renew-publicly-trusted.html#request-domain-validation-email-for-renewal)
+Each validation email contains a token that you can use to approve a certificate request. However, because the validation email required for the approval process can be blocked by spam filters or lost in transit, the token automatically expires after 72 hours. If you do not receive the original email or the token has expired, you can request that the email be resent. For information about how to resend a validation email, see [Resend validation email](./email-renewal-validation.html#request-domain-validation-email-for-renewal)