AWS Security ChangesHomeSearch

AWS acm high security documentation change

Service: acm · 2025-06-19 · Security-related high

File: acm/latest/userguide/acm-supported-actions-in-cloudtrail.md

Summary

Updated CloudTrail logging details to hide sensitive data, added RevokeCertificate documentation, and enhanced TLS/security context

Security assessment

The diff explicitly redacts sensitive passphrase/private key data in logs (marked as 'HIDDEN_DUE_TO_SECURITY_REASONS'), preventing credential exposure. It also documents certificate revocation capabilities and adds TLS 1.3 security context - all concrete security improvements.

Diff

diff --git a/acm/latest/userguide/acm-supported-actions-in-cloudtrail.md b/acm/latest/userguide/acm-supported-actions-in-cloudtrail.md
index 825483c17..78b5477ec 100644
--- a//acm/latest/userguide/acm-supported-actions-in-cloudtrail.md
+++ b//acm/latest/userguide/acm-supported-actions-in-cloudtrail.md
@@ -5 +5 @@
-Add tagsDeleting a certificate (DeleteCertificate)Describing a certificate (DescribeCertificate)Exporting a certificate (ExportCertificate)Import a certificate (ImportCertificate)Listing certificates (ListCertificates)List tagsRemoving TagsRequesting a certificate (RequestCertificate)Resend emailRetrieving a certificate (GetCertificate)
+Add tagsDeleting a certificate (DeleteCertificate)Describing a certificate (DescribeCertificate)Exporting a certificate (ExportCertificate)Import a certificate (ImportCertificate)Listing certificates (ListCertificates)List tagsRemoving TagsRequesting a certificate (RequestCertificate)Revoke a certificate (RevokeCertificate)Resend emailRetrieving a certificate (GetCertificate)
@@ -203,24 +203,2 @@ The following CloudTrail example shows the results of a call to the [ExportCerti
-                   "passphrase":{
-                      "hb":[
-                         42,
-                         42,
-                         42,
-                         42,
-                         42,
-                         42,
-                         42,
-                         42,
-                         42,
-                         42
-                      ],
-                      "offset":0,
-                      "isReadOnly":false,
-                      "bigEndian":true,
-                      "nativeByteOrder":false,
-                      "mark":-1,
-                      "position":0,
-                      "limit":10,
-                      "capacity":10,
-                      "address":0
-                   },
-                   "certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
+                  "certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
+                   "passphrase": "HIDDEN_DUE_TO_SECURITY_REASONS"
@@ -240 +218,2 @@ The following CloudTrail example shows the results of a call to the [ExportCerti
-                    -----END CERTIFICATE-----"
+                    -----END CERTIFICATE-----",
+                    "privateKey": "HIDDEN_DUE_TO_SECURITY_REASONS"
@@ -243,0 +223 @@ The following CloudTrail example shows the results of a call to the [ExportCerti
+                "readOnly": false,
@@ -244,0 +225,9 @@ The following CloudTrail example shows the results of a call to the [ExportCerti
+                    "managementEvent": true,
+                    "recipientAccountId": "123456789012",
+                    "eventCategory": "Management",
+                    "tlsDetails": {
+                         "tlsVersion": "TLSv1.3",
+                         "cipherSuite": "TLS_AES_128_GCM_SHA256",
+                         "clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
+                     },
+                     "sessionCredentialFromConsole": "true"
@@ -246,3 +235 @@ The following CloudTrail example shows the results of a call to the [ExportCerti
-          }
-       ]
-    }
+                    
@@ -479,6 +465,0 @@ The following CloudTrail example shows the results of a call to the [RequestCert
-                "subjectAlternativeNames":[
-                   "example.net"
-                ],
-                "domainName":"example.com",
-                "domainValidationOptions":[
-                   {
@@ -486 +467,4 @@ The following CloudTrail example shows the results of a call to the [RequestCert
-                      "validationDomain":"example.com"
+                "validationMethod": "DNS",
+                "idempotencyToken":"8186023d89681c3ad5",
+                "options": {
+                "export": "ENABLED"
@@ -488,6 +472 @@ The following CloudTrail example shows the results of a call to the [RequestCert
-                   {
-                      "domainName":"example.net",
-                      "validationDomain":"example.net"
-                   }
-                ],
-                "idempotencyToken":"8186023d89681c3ad5"
+            "keyAlgorithm": "RSA_2048"
@@ -500,0 +480,5 @@ The following CloudTrail example shows the results of a call to the [RequestCert
+             "tlsDetails": {
+               "tlsVersion": "TLSv1.3",
+               "cipherSuite": "TLS_AES_128_GCM_SHA256",
+               "clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
+              },
@@ -505,0 +490,55 @@ The following CloudTrail example shows the results of a call to the [RequestCert
+## Revoke a certificate ([RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html))
+
+The following CloudTrail example shows the results of a call to the [RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html) API. 
+    
+    
+    {
+        "eventVersion": "1.11",
+        "userIdentity": {
+            "type": "AssumedRole",
+            "principalId": "AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name",
+            "arn": arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name",
+            "accountId": "123456789012",
+            "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
+            "sessionContext": {
+                "sessionIssuer": {
+                    "type": "Role",
+                    "principalId": "AIDACKCEVSQ6C2EXAMPLE",
+                    "arn": "arn:aws:iam::123456789012:role/Admin",
+                    "accountId": "123456789012",
+                    "userName": "Admin"
+                },
+                "attributes": {
+                    "creationDate": "2016-01-01T19:35:52Z",
+                    "mfaAuthenticated": "false"
+                }
+            }
+        },
+        "eventTime":"2016-01-01T21:11:45Z",
+        "eventSource": "acm.amazonaws.com",
+        "eventName": "RevokeCertificate",
+        "awsRegion": "us-east-1",
+        "sourceIPAddress": "192.0.2.0",
+        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
+        "requestParameters": {
+            "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
+            "revocationReason": "UNSPECIFIED"
+        },
+        "responseElements": {
+            "certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+        },
+        "requestID": "01234567-89ab-cdef-0123-456789abcdef",
+        "eventID": "01234567-89ab-cdef-0123-456789abcdef",
+        "readOnly": false,
+        "eventType": "AwsApiCall",
+        "managementEvent": true,
+        "recipientAccountId": "123456789012",
+        "eventCategory": "Management",
+        "tlsDetails": {
+            "tlsVersion": "TLSv1.3",
+            "cipherSuite": "TLS_AES_128_GCM_SHA256",
+            "clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
+        },
+        "sessionCredentialFromConsole": "true"
+    }
+