AWS Security ChangesHomeSearch

AWS acm documentation change

Service: acm · 2026-07-10 · Documentation low

File: acm/latest/userguide/troubleshooting-acme.md

Summary

Added troubleshooting section for ACME failures not appearing in Monitoring tab, clarified Monitoring tab limitations, and reduced certificate issuance timeout from 10 minutes to 2 minutes

Security assessment

The changes document troubleshooting steps and clarify monitoring limitations without addressing any security vulnerabilities. The timeout reduction appears to be a performance improvement rather than a security fix. No evidence of security vulnerability remediation exists in the changes.

Diff

diff --git a/acm/latest/userguide/troubleshooting-acme.md b/acm/latest/userguide/troubleshooting-acme.md
index 4aaa40724..11877e115 100644
--- a//acm/latest/userguide/troubleshooting-acme.md
+++ b//acm/latest/userguide/troubleshooting-acme.md
@@ -7 +7 @@
-Domain validation does not become validCertificate issuance or revocation fails with access deniedCertificate request is rejectedCertificate issuance fails with a DNS CNAME error after the domain validation was previously validAccount registration failsACME client times out waiting for certificate
+ACME failures not appearing in the console Monitoring tabDomain validation does not become validCertificate issuance or revocation fails with access deniedCertificate request is rejectedCertificate issuance fails with a DNS CNAME error after the domain validation was previously validAccount registration failsACME client times out waiting for certificate
@@ -14,0 +15,2 @@ This section describes common issues with ACME certificate automation and how to
+  * ACME failures not appearing in the console Monitoring tab
+
@@ -29,0 +32,15 @@ This section describes common issues with ACME certificate automation and how to
+## ACME failures not appearing in the console Monitoring tab
+
+The **Monitoring** tab on the ACME endpoint details page in the ACM console shows events for the final step of certificate issuance—when ACM creates the certificate (see [Monitoring ACME endpoints](./acm-acme-endpoints.html#acm-acme-endpoint-monitoring)). If your request failed before that step, it doesn't appear there.
+
+Some failures happen earlier in the process—for example, invalid credentials, an unvalidated domain, or a domain that the endpoint doesn't allow. Your ACME client receives these failures directly.
+
+To diagnose these failures, use one of the following options:
+
+  * **Check your ACME client logs** —Your ACME client logs the exact error the server returns. Consult your client's documentation for the location of its log files.
+
+  * **Enable CloudTrail data events** —To get a centralized view of all ACME activity in your AWS account for debugging or auditing, enable CloudTrail data event logging for ACM ACME endpoints. For more information about these events, see [Data events](./acm-supported-actions-in-cloudtrail.html#ct-data-events).
+
+
+
+
@@ -126 +143 @@ When an ACME client registers an account with an endpoint, check the following:
-Certificate issuance through the ACM ACME endpoint can take several minutes. If your ACME client times out before receiving the certificate, increase the client's issuance timeout to at least 600 seconds (10 minutes).
+Certificate issuance through the ACM ACME endpoint can take up to two minutes. If your ACME client times out before receiving the certificate, increase the client's issuance timeout to at least 120 seconds (2 minutes).
@@ -131 +148 @@ For Certbot, use the `--issuance-timeout` flag:
-    certbot certonly --issuance-timeout 600 ...
+    certbot certonly --issuance-timeout 120 ...