AWS Security ChangesHomeSearch

AWS acm documentation change

Service: acm · 2026-07-01 · Documentation low

File: acm/latest/userguide/service-options.md

Summary

Restructured service comparison table and added ACME certificate automation option, clarifying certificate issuance methods and private key management approaches.

Security assessment

The changes enhance documentation about security features (private key management, certificate trust models, and renewal processes) but don't address any specific vulnerability. Added details about ACME client key retention and private CA limitations improve security awareness.

Diff

diff --git a/acm/latest/userguide/service-options.md b/acm/latest/userguide/service-options.md
index d2e118b4e..276bf1034 100644
--- a//acm/latest/userguide/service-options.md
+++ b//acm/latest/userguide/service-options.md
@@ -7 +7 @@
-# What is the right AWS certificate service for my needs?
+# Choosing how to issue certificates with AWS
@@ -9 +9 @@
-AWS offers two options to customers deploying managed X.509 certificates. Choose the best one for your needs.
+AWS offers several ways to issue and manage X.509 certificates. Choose the option that best fits your use case.
@@ -11 +11,8 @@ AWS offers two options to customers deploying managed X.509 certificates. Choose
-  1. **AWS Certificate Manager (ACM)** —This service is for enterprise customers who need a secure web presence using TLS. ACM certificates are deployed through Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, and other [integrated AWS services](./acm-services.html). The most common application of this kind is a secure public website with significant traffic requirements. ACM also simplifies security management by automating the renewal of expiring certificates. _You are in the right place for this service._
+| **ACM** | **ACM with ACME** | **AWS Private CA (direct issuance)**  
+---|---|---|---  
+**Best for** | Public or private certificates for AWS integrated services (Elastic Load Balancing, CloudFront, API Gateway) | Public certificates for customer-managed infrastructure (on-premises, Kubernetes, hybrid) | Private certificates where you supply the CSR and manage the private key yourself  
+**Certificate trust** | Public (Amazon Trust Services) or private (via AWS Private CA integration) | Public (Amazon Trust Services) | Private (your CA hierarchy)  
+**Private key management** | AWS generates and manages the private key (you can export it for use outside AWS) | Your ACME client generates and holds the private key | You generate and hold the private key  
+**Renewal** | ACM managed renewal (automatic) | Client-driven (your ACME client renews before expiry) | Manual (you call `IssueCertificate` again)  
+**Deployment** | Bound to AWS integrated services, or exported for use anywhere | Installed on your systems by the ACME client | You install the certificate on your systems  
+**Automation** | AWS SDK and CLI | Industry-standard ACME clients (Certbot, cert-manager, acme.sh) | AWS SDK and CLI  
@@ -13 +20 @@ AWS offers two options to customers deploying managed X.509 certificates. Choose
-  2. **AWS Private CA** —This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization. With AWS Private CA, you can create your own certificate authority (CA) hierarchy and issue certificates with it for authenticating users, computers, applications, services, servers, and other devices. Certificates issued by a private CA cannot be used on the internet. For more information, see the [AWS Private CA User Guide](https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html).
+**AWS Certificate Manager (ACM)**
@@ -15,0 +23 @@ AWS offers two options to customers deploying managed X.509 certificates. Choose
+Use ACM when you need certificates for AWS integrated services such as Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway, or when you want AWS to manage the certificate lifecycle including renewal. ACM generates and manages the private key and automates renewal. For workloads outside of AWS integrated services, ACM also supports exportable certificates that let you retrieve the private key and use the certificate on your own infrastructure. ACM can issue public certificates from Amazon Trust Services or private certificates when integrated with AWS Private CA.
@@ -16,0 +25,11 @@ AWS offers two options to customers deploying managed X.509 certificates. Choose
+**ACM with ACME certificate automation**
+    
+
+Use ACME when you need publicly trusted certificates for customer-managed infrastructure and want to automate the lifecycle using industry-standard ACME clients (Certbot, cert-manager, acme.sh) rather than AWS APIs. The private key is generated and held by your ACME client and never leaves your systems. Certificates issued through ACME appear in your ACM inventory for central visibility but cannot be bound to AWS integrated services. For more information, see [ACME certificate automation](./acm-acme.html).
+
+**AWS Private CA (direct issuance)**
+    
+
+Use AWS Private CA directly when you need private certificates and want full control over the private key. You create your own CA hierarchy, generate your own private key and CSR, and call `IssueCertificate`. Certificates issued by a private CA are not publicly trusted and cannot be used on the public internet. For more information, see the [AWS Private CA User Guide](https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html).
+
+_Both ACM and ACME certificate automation are covered in this guide. You are in the right place._