AWS acm documentation change
Summary
Added 'Custom Trust Stores' section recommending inclusion of Amazon root CAs for certificate compatibility
Security assessment
The change adds guidance about trust store configuration to ensure proper certificate validation, which is a security best practice but doesn't address a specific vulnerability
Diff
diff --git a/acm/latest/userguide/acm-bestpractices.md b/acm/latest/userguide/acm-bestpractices.md index 65013ac75..3efd04753 100644 --- a//acm/latest/userguide/acm-bestpractices.md +++ b//acm/latest/userguide/acm-bestpractices.md @@ -5 +5 @@ -Account-level separationAWS CloudFormationCertificate pinningDomain validationAdding or deleting domain namesOpting out of certificate transparency loggingTurn on AWS CloudTrail +Account-level separationAWS CloudFormationCustom Trust StoresCertificate pinningDomain validationAdding or deleting domain namesOpting out of certificate transparency loggingTurn on AWS CloudTrail @@ -16,0 +17,2 @@ Best practices are recommendations that can help you use AWS Certificate Manager + * Custom Trust Stores + @@ -65,0 +68,4 @@ Include the wildcard certificate in the template that AWS CloudFormation uses to +## Custom Trust Stores + +In order to ensure connectivity to endpoints protected by ACM certificates, we recommend the [Amazon roots](https://www.amazontrust.com/repository/) be included in your custom trust store. Amazon Root certificate authorities can represent different key types and algorithms. Starfield Services Root Certificate Authority - G2 is an older root that is compatible with other older trust stores and clients that can not be updated. By including all root CAs, you'll be able to ensure maximum compatibility for your application. +