AWS acm documentation change
Summary
Added notes clarifying that certificate-specific tagging APIs only apply to certificate resources, and provided alternative APIs for other ACM resource types with a warning about ValidationException when misused.
Security assessment
The change clarifies API usage boundaries but doesn't address vulnerabilities, weaknesses, or security incidents. It prevents user errors but lacks evidence of patching security flaws.
Diff
diff --git a/acm/latest/userguide/tags-manage.md b/acm/latest/userguide/tags-manage.md index a89e2f241..d7aa7a564 100644 --- a//acm/latest/userguide/tags-manage.md +++ b//acm/latest/userguide/tags-manage.md @@ -132,0 +133,17 @@ Refer to the following topics to learn how to add, list, and delete tags by usin +###### Note + +The certificate-specific tagging APIs above (`AddTagsToCertificate`, `ListTagsForCertificate`, `RemoveTagsFromCertificate`) apply only to `certificate` resource types. For all other ACM resource types (such as ACME endpoints, ACME external account bindings, and ACME domain validations), use the following APIs: + + * [TagResource](https://docs.aws.amazon.com/acm/latest/APIReference/API_TagResource.html) + + * [ListTagsForResource](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForResource.html) + + * [UntagResource](https://docs.aws.amazon.com/acm/latest/APIReference/API_UntagResource.html) + + + + +###### Note + +Calling `TagResource`, `UntagResource`, or `ListTagsForResource` with a `certificate`-typed ARN returns a `ValidationException`. Use the certificate-specific APIs for certificate resources. +