AWS Security ChangesHomeSearch

AWS acm documentation change

Service: acm · 2025-06-28 · Documentation low

File: acm/latest/userguide/acm-bestpractices.md

Summary

Added 'Custom Trust Stores' section recommending inclusion of Amazon root CAs for certificate compatibility

Security assessment

The change adds guidance about trust store configuration to ensure proper certificate validation, which is a security best practice but doesn't address a specific vulnerability

Diff

diff --git a/acm/latest/userguide/acm-bestpractices.md b/acm/latest/userguide/acm-bestpractices.md
index 65013ac75..3efd04753 100644
--- a//acm/latest/userguide/acm-bestpractices.md
+++ b//acm/latest/userguide/acm-bestpractices.md
@@ -5 +5 @@
-Account-level separationAWS CloudFormationCertificate pinningDomain validationAdding or deleting domain namesOpting out of certificate transparency loggingTurn on AWS CloudTrail
+Account-level separationAWS CloudFormationCustom Trust StoresCertificate pinningDomain validationAdding or deleting domain namesOpting out of certificate transparency loggingTurn on AWS CloudTrail
@@ -16,0 +17,2 @@ Best practices are recommendations that can help you use AWS Certificate Manager
+  * Custom Trust Stores
+
@@ -65,0 +68,4 @@ Include the wildcard certificate in the template that AWS CloudFormation uses to
+## Custom Trust Stores
+
+In order to ensure connectivity to endpoints protected by ACM certificates, we recommend the [Amazon roots](https://www.amazontrust.com/repository/) be included in your custom trust store. Amazon Root certificate authorities can represent different key types and algorithms. Starfield Services Root Certificate Authority - G2 is an older root that is compatible with other older trust stores and clients that can not be updated. By including all root CAs, you'll be able to ensure maximum compatibility for your application.
+