AWS acm high security documentation change
Summary
Updated CloudTrail logging details to hide sensitive data, added RevokeCertificate documentation, and enhanced TLS/security context
Security assessment
The diff explicitly redacts sensitive passphrase/private key data in logs (marked as 'HIDDEN_DUE_TO_SECURITY_REASONS'), preventing credential exposure. It also documents certificate revocation capabilities and adds TLS 1.3 security context - all concrete security improvements.
Diff
diff --git a/acm/latest/userguide/acm-supported-actions-in-cloudtrail.md b/acm/latest/userguide/acm-supported-actions-in-cloudtrail.md index 825483c17..78b5477ec 100644 --- a//acm/latest/userguide/acm-supported-actions-in-cloudtrail.md +++ b//acm/latest/userguide/acm-supported-actions-in-cloudtrail.md @@ -5 +5 @@ -Add tagsDeleting a certificate (DeleteCertificate)Describing a certificate (DescribeCertificate)Exporting a certificate (ExportCertificate)Import a certificate (ImportCertificate)Listing certificates (ListCertificates)List tagsRemoving TagsRequesting a certificate (RequestCertificate)Resend emailRetrieving a certificate (GetCertificate) +Add tagsDeleting a certificate (DeleteCertificate)Describing a certificate (DescribeCertificate)Exporting a certificate (ExportCertificate)Import a certificate (ImportCertificate)Listing certificates (ListCertificates)List tagsRemoving TagsRequesting a certificate (RequestCertificate)Revoke a certificate (RevokeCertificate)Resend emailRetrieving a certificate (GetCertificate) @@ -203,24 +203,2 @@ The following CloudTrail example shows the results of a call to the [ExportCerti - "passphrase":{ - "hb":[ - 42, - 42, - 42, - 42, - 42, - 42, - 42, - 42, - 42, - 42 - ], - "offset":0, - "isReadOnly":false, - "bigEndian":true, - "nativeByteOrder":false, - "mark":-1, - "position":0, - "limit":10, - "capacity":10, - "address":0 - }, - "certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210" + "certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012", + "passphrase": "HIDDEN_DUE_TO_SECURITY_REASONS" @@ -240 +218,2 @@ The following CloudTrail example shows the results of a call to the [ExportCerti - -----END CERTIFICATE-----" + -----END CERTIFICATE-----", + "privateKey": "HIDDEN_DUE_TO_SECURITY_REASONS" @@ -243,0 +223 @@ The following CloudTrail example shows the results of a call to the [ExportCerti + "readOnly": false, @@ -244,0 +225,9 @@ The following CloudTrail example shows the results of a call to the [ExportCerti + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "acm.us-east-1.amazonaws.com" + }, + "sessionCredentialFromConsole": "true" @@ -246,3 +235 @@ The following CloudTrail example shows the results of a call to the [ExportCerti - } - ] - } + @@ -479,6 +465,0 @@ The following CloudTrail example shows the results of a call to the [RequestCert - "subjectAlternativeNames":[ - "example.net" - ], - "domainName":"example.com", - "domainValidationOptions":[ - { @@ -486 +467,4 @@ The following CloudTrail example shows the results of a call to the [RequestCert - "validationDomain":"example.com" + "validationMethod": "DNS", + "idempotencyToken":"8186023d89681c3ad5", + "options": { + "export": "ENABLED" @@ -488,6 +472 @@ The following CloudTrail example shows the results of a call to the [RequestCert - { - "domainName":"example.net", - "validationDomain":"example.net" - } - ], - "idempotencyToken":"8186023d89681c3ad5" + "keyAlgorithm": "RSA_2048" @@ -500,0 +480,5 @@ The following CloudTrail example shows the results of a call to the [RequestCert + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "acm.us-east-1.amazonaws.com" + }, @@ -505,0 +490,55 @@ The following CloudTrail example shows the results of a call to the [RequestCert +## Revoke a certificate ([RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html)) + +The following CloudTrail example shows the results of a call to the [RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html) API. + + + { + "eventVersion": "1.11", + "userIdentity": { + "type": "AssumedRole", + "principalId": "AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name", + "arn": arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name", + "accountId": "123456789012", + "accessKeyId": "AKIAIOSFODNN7EXAMPLE", + "sessionContext": { + "sessionIssuer": { + "type": "Role", + "principalId": "AIDACKCEVSQ6C2EXAMPLE", + "arn": "arn:aws:iam::123456789012:role/Admin", + "accountId": "123456789012", + "userName": "Admin" + }, + "attributes": { + "creationDate": "2016-01-01T19:35:52Z", + "mfaAuthenticated": "false" + } + } + }, + "eventTime":"2016-01-01T21:11:45Z", + "eventSource": "acm.amazonaws.com", + "eventName": "RevokeCertificate", + "awsRegion": "us-east-1", + "sourceIPAddress": "192.0.2.0", + "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0", + "requestParameters": { + "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012", + "revocationReason": "UNSPECIFIED" + }, + "responseElements": { + "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" + }, + "requestID": "01234567-89ab-cdef-0123-456789abcdef", + "eventID": "01234567-89ab-cdef-0123-456789abcdef", + "readOnly": false, + "eventType": "AwsApiCall", + "managementEvent": true, + "recipientAccountId": "123456789012", + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "acm.us-east-1.amazonaws.com" + }, + "sessionCredentialFromConsole": "true" + } +