AWS Security ChangesHomeSearch

AWS quick high security documentation change

Service: quick · 2026-03-04 · Security-related high

File: quick/latest/userguide/configure-access.md

Summary

Replaced static list of accepted certificate authorities with recommendation to use AWS Certificate Manager (ACM) or Mozilla Included CA Certificate List

Security assessment

The change emphasizes using trusted CAs aligned with Mozilla's standards and AWS-managed certificates, which improves security by ensuring up-to-date trusted certificate authorities. This helps prevent man-in-the-middle attacks from outdated/untrusted CAs.

Diff

diff --git a/quick/latest/userguide/configure-access.md b/quick/latest/userguide/configure-access.md
index 8020899bf..bcc2ff315 100644
--- a//quick/latest/userguide/configure-access.md
+++ b//quick/latest/userguide/configure-access.md
@@ -115,83 +115 @@ If your database is on a server other than AWS, you must change that server's fi
-Following is a list of accepted public certificate authorities. If you are using a database instance other than AWS, your certificate must be on this list, or it won't work.
-
-  * AAA Certificate Services 
-  * AddTrust Class 1 CA Root 
-  * AddTrust External CA Root 
-  * AddTrust Qualified CA Root 
-  * AffirmTrust Commercial 
-  * AffirmTrust Networking 
-  * AffirmTrust Premium 
-  * AffirmTrust Premium ECC 
-  * America Online Root Certification Authority 1 
-  * America Online Root Certification Authority 2 
-  * Baltimore CyberTrust Code Signing Root 
-  * Baltimore CyberTrust Root 
-  * Buypass Class 2 Root CA 
-  * Buypass Class 3 Root CA 
-  * Certum CA 
-  * Certum Trusted Network CA 
-  * Chambers of Commerce Root 
-  * Chambers of Commerce Root - 2008 
-  * Class 2 Primary CA 
-  * Class 3P Primary CA 
-  * Deutsche Telekom Root CA 2 
-  * DigiCert Assured ID Root CA 
-  * DigiCert Global Root CA 
-  * DigiCert High Assurance EV Root CA 
-  * Entrust.net Certification Authority (2048) 
-  * Entrust Root Certification Authority 
-  * Entrust Root Certification Authority - G2 
-  * Equifax Secure eBusiness CA-1 
-  * Equifax Secure Global eBusiness CA-1 
-  * GeoTrust Global CA 
-  * GeoTrust Primary Certification Authority 
-  * GeoTrust Primary Certification Authority - G2 
-  * GeoTrust Primary Certification Authority - G3 
-  * GeoTrust Universal CA 
-  * Global Chambersign Root - 2008 
-  * GlobalSign 
-  * GlobalSign Root CA 
-  * Go Daddy Root Certificate Authority - G2 
-  * GTE CyberTrust Global Root 
-  * KEYNECTIS ROOT CA 
-
-| 
-
-  * QuoVadis Root CA 2 
-  * QuoVadis Root CA 3 
-  * QuoVadis Root Certification Authority 
-  * SecureTrust CA 
-  * Sonera Class1 CA 
-  * Sonera Class2 CA 
-  * Starfield Root Certificate Authority - G2 
-  * Starfield Services Root Certificate Authority - G2 
-  * SwissSign Gold CA - G2 
-  * SwissSign Platinum CA - G2 
-  * SwissSign Silver CA - G2 
-  * TC TrustCenter Class 2 CA II 
-  * TC TrustCenter Class 4 CA II 
-  * TC TrustCenter Universal CA I 
-  * Thawte Personal Freemail CA 
-  * Thawte Premium Server CA 
-  * thawte Primary Root CA 
-  * thawte Primary Root CA - G2 
-  * thawte Primary Root CA - G3 
-  * Thawte Server CA 
-  * Thawte Timestamping CA 
-  * T-TeleSec GlobalRoot Class 2 
-  * T-TeleSec GlobalRoot Class 3 
-  * UTN - DATACorp SGC 
-  * UTN-USERFirst-Client Authentication and Email 
-  * UTN-USERFirst-Hardware 
-  * UTN-USERFirst-Object 
-  * Valicert 
-  * VeriSign Class 1 Public Primary Certification Authority - G3 
-  * VeriSign Class 2 Public Primary Certification Authority - G3 
-  * VeriSign Class 3 Public Primary Certification Authority - G3 
-  * VeriSign Class 3 Public Primary Certification Authority - G4 
-  * VeriSign Class 3 Public Primary Certification Authority - G5 
-  * VeriSign Universal Root Certification Authority 
-  * XRamp Global Certification Authority
-
-  
----|---  
+We recommend that you use a public certificate issued by [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/). Amazon Quick supports the same certificate authorities (CAs) as Mozilla, so if you don't use ACM, use a certificate issued by a CA on the [Mozilla Included CA Certificate List](https://wiki.mozilla.org/CA/Included_Certificates).