AWS Security ChangesHomeSearch

AWS acm documentation change

Service: acm · 2026-07-01 · Documentation medium

File: acm/latest/userguide/acm-conditions.md

Summary

Added new 'acm:CertificateKeyPairOrigin' condition key and usage example

Security assessment

The change documents a new IAM condition key for granular access control based on certificate origin (AWS/ACME/Customer), enabling better security policies but not fixing existing vulnerabilities.

Diff

diff --git a/acm/latest/userguide/acm-conditions.md b/acm/latest/userguide/acm-conditions.md
index f457412cc..8daeffe3b 100644
--- a//acm/latest/userguide/acm-conditions.md
+++ b//acm/latest/userguide/acm-conditions.md
@@ -7 +7 @@
-Supported conditions for ACMExample 1: Restricting validation methodExample 2: Preventing wildcard domainsExample 3: Restricting certificate domainsExample 4: Restricting key algorithmExample 5: Restricting certificate authority
+Supported conditions for ACMExample 1: Restricting validation methodExample 2: Preventing wildcard domainsExample 3: Restricting certificate domainsExample 4: Restricting key algorithmExample 5: Restricting certificate authorityExample 6: Restricting actions by certificate key pair origin
@@ -27,0 +28 @@ ACM API operations and supported conditions Condition Key | Supported ACM API Op
+`acm:CertificateKeyPairOrigin` |  [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html), [AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html), [RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html) |  String (`AWS_MANAGED`, `ACME`, `CUSTOMER_PROVIDED`) |  Filter requests based on the certificate's key pair origin. For `RequestCertificate`, the value is always `AWS_MANAGED`. When requesting certificates through an ACME client, the value is `ACME`. For `AddTagsToCertificate` and `RevokeCertificate`, the value is read from the existing certificate.  
@@ -243,0 +245,21 @@ JSON
+## Example 6: Restricting actions by certificate key pair origin
+
+The following policy allows tagging only on ACME certificates. This is useful when you want to restrict tagging operations to certificates issued through the ACME protocol.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "acm:AddTagsToCertificate",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "acm:CertificateKeyPairOrigin": "ACME"
+            }
+          }
+        }
+      ]
+    }
+