AWS Security ChangesHomeSearch

AWS acm medium security documentation change

Service: acm · 2025-05-01 · Security-related medium

File: acm/latest/userguide/setup.md

Summary

Clarified wildcard certificate validation requirements and added warnings about HTTP validation limitations

Security assessment

Added explicit warnings that HTTP validation doesn't support wildcard certificates, preventing potential misconfigurations. This addresses security implications of using improper validation methods for wildcard certs, which could lead to certificate issuance vulnerabilities.

Diff

diff --git a/acm/latest/userguide/setup.md b/acm/latest/userguide/setup.md
index bcb6a4a46..04802c3e4 100644
--- a//acm/latest/userguide/setup.md
+++ b//acm/latest/userguide/setup.md
@@ -97 +97 @@ For instructions, see [ Add groups](https://docs.aws.amazon.com/singlesignon/lat
-A fully qualified domain name (FQDN) is the unique name of an organization or individual on the Internet followed by a top-level domain extension such as .com or .org. If you do not already have a registered domain name, you can register one through Amazon Route 53 or dozens of other commercial registrars. Typically you go to the registrar's website and request a domain name. Domain name egistration usually lasts for a set period of time such as one or two years before it must be renewed.
+A fully qualified domain name (FQDN) is the unique name of an organization or individual on the Internet followed by a top-level domain extension such as `.com `or `.org`. If you do not already have a registered domain name, you can register one through Amazon Route 53 or dozens of other commercial registrars. Typically you go to the registrar's website and request a domain name. Domain name registration usually lasts for a set period of time such as one or two years before it must be renewed.
@@ -127 +127 @@ Indicates that the ACM CA that you specify in the **value** field is authorized
-Indicates that the ACM CA that you specified in the **value** field is authorized to issue a wildcard certificate for your domain or subdomain. A wildcard certificate applies to the domain or subdomain and all of its subdomains. 
+Indicates that the ACM CA that you specified in the **value** field is authorized to issue a wildcard certificate for your domain or subdomain. A wildcard certificate applies to the domain or subdomain and all of its subdomains. Note that if you plan to use HTTP validation, this setting won't apply because HTTP validation doesn't support wildcard certificates. Use DNS or email validation instead for wildcard certificates.
@@ -162,0 +163,4 @@ In the following examples, your domain name comes first followed by the record t
+###### Important
+
+If you plan to use HTTP validation with CloudFront, you don't need to configure **issuewild** records because HTTP validation doesn't support wildcard certificates. For wildcard certificates, use DNS or email validation instead.
+