AWS Security ChangesHomeSearch

AWS acm documentation change

Service: acm · 2026-07-01 · Documentation low

File: acm/latest/userguide/acm-limits.md

Summary

Added ACME protocol quotas including certificate exclusions, domain limits per certificate, endpoint limits, and detailed request rate quotas for ACME operations

Security assessment

Documents new rate limits and quotas for ACME certificate operations which help prevent abuse/DoS attacks by restricting request volumes. No evidence of addressing a specific vulnerability.

Diff

diff --git a/acm/latest/userguide/acm-limits.md b/acm/latest/userguide/acm-limits.md
index be7e7b4d5..f341497e1 100644
--- a//acm/latest/userguide/acm-limits.md
+++ b//acm/latest/userguide/acm-limits.md
@@ -7 +7 @@
-General quotasAPI rate quotas
+General quotasAPI rate quotasACME protocol request rate quotas
@@ -24,2 +24,2 @@ Item | Default quota
-**Number of ACM certificates** Expired and revoked certificates continue to count toward this total.Certificates signed by a CA from AWS Private CA do not count toward this total. | 2500  
-**Number of ACM certificates per year (last 365 days)** You can request up to twice your quota of ACM certificates per year, region, and account. For example, if your quota is 2,500, you can request up to 5,000 ACM certificates per year in a given region and account. You can only have 2,500 certificates at any given time. To request 5,000 certificates in a year, you must delete 2,500 during the year to stay within the quota. If you need more than 2,500 certificates at any given time, you must contact the **[Support Center](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase&limitType=service-code-acm)**. Certificates signed by a CA from AWS Private CA do not count toward this total. | 5,000  
+**Number of ACM certificates** Expired and revoked certificates continue to count toward this total.Certificates signed by a CA from AWS Private CA do not count toward this total.Certificates issued through ACME do not count toward this total. | 2500  
+**Number of ACM certificates per year (last 365 days)** You can request up to twice your quota of ACM certificates per year, region, and account. For example, if your quota is 2,500, you can request up to 5,000 ACM certificates per year in a given region and account. You can only have 2,500 certificates at any given time. To request 5,000 certificates in a year, you must delete 2,500 during the year to stay within the quota. If you need more than 2,500 certificates at any given time, you must contact the **[Support Center](https://console.aws.amazon.com/support/home#/case/create?issueType=service-limit-increase&limitType=service-code-acm)**. Certificates signed by a CA from AWS Private CA do not count toward this total.Certificates issued through ACME do not count toward this total. | 5,000  
@@ -28,0 +29 @@ Item | Default quota
+**Number of domain names per ACME-issued certificate** Certificates issued through ACME can include up to 100 domain names. This quota is fixed and cannot be increased. | 100  
@@ -30,0 +32,3 @@ Item | Default quota
+**Number of ACME endpoints** The maximum number of ACME endpoints per AWS account per region. | 50  
+**Number of external account bindings per ACME endpoint** | 1,000  
+**Number of domain validations per ACME endpoint** | 1,500  
@@ -41,0 +46,2 @@ In addition to the API actions listed in the table below, ACM can also call the
+Per-operation request rate quotas for ACME certificate automation are tiered: read operations at 30 requests per second per account, write operations at 20 requests per second per account, and domain validation mutation operations (Create/Update/Delete AcmeDomainValidation) at 5 requests per second per account.
+
@@ -44,0 +51,6 @@ API call | Requests per second
+`CreateAcmeDomainValidation`| 5  
+`CreateAcmeEndpoint`| 20  
+`CreateAcmeExternalAccountBinding`| 20  
+`DeleteAcmeDomainValidation`| 5  
+`DeleteAcmeEndpoint`| 20  
+`DeleteAcmeExternalAccountBinding`| 20  
@@ -45,0 +58,4 @@ API call | Requests per second
+`DescribeAcmeAccount`| 30  
+`DescribeAcmeDomainValidation`| 30  
+`DescribeAcmeEndpoint`| 30  
+`DescribeAcmeExternalAccountBinding`| 30  
@@ -48,0 +65 @@ API call | Requests per second
+`GetAcmeExternalAccountBindingCredentials`| 30  
@@ -50,0 +68,4 @@ API call | Requests per second
+`ListAcmeAccounts`| 30  
+`ListAcmeDomainValidations`| 30  
+`ListAcmeEndpoints`| 30  
+`ListAcmeExternalAccountBindings`| 30  
@@ -52,0 +74 @@ API call | Requests per second
+`ListTagsForResource`| 5  
@@ -57,0 +80,2 @@ API call | Requests per second
+`RevokeAcmeAccount`| 20  
+`RevokeAcmeExternalAccountBinding`| 20  
@@ -58,0 +83,4 @@ API call | Requests per second
+`TagResource`| 5  
+`UntagResource`| 5  
+`UpdateAcmeDomainValidation`| 5  
+`UpdateAcmeEndpoint`| 20  
@@ -62,0 +91,21 @@ For more information, see [AWS Certificate Manager API Reference](https://docs.a
+## ACME protocol request rate quotas
+
+The following quotas apply to requests that ACME clients send to an ACME endpoint over the ACME protocol. These quotas are separate from the ACM API request rate quotas in the preceding section. Per-operation request rate quotas for the ACME protocol are tiered: read operations at 25 requests per second per account, write operations at 20 requests per second per account, and certificate operations (FinalizeOrder, RevokeCertificate) at 1 request per second per account. When a request exceeds the quota, the endpoint returns a rate limit error.
+
+**Requests-per-second quota for each ACME protocol operation**
+
+Operation | Requests per second  
+---|---  
+`ChangeAccountKey`| 20  
+`FinalizeOrder`| 1  
+`GetCertificate`| 25  
+`GetDirectory`| 25  
+`GetOrder`| 25  
+`ListOrders`| 25  
+`ManageAccount`| 20  
+`ManageAuthorization`| 25  
+`NewAccount`| 20  
+`NewNonce`| 25  
+`NewOrder`| 20  
+`RevokeCertificate`| 1  
+