AWS ACM Complete Guide: Free SSL/TLS Certificate Issuance and Management
Learn how to issue free SSL/TLS certificates with AWS Certificate Manager and apply them to ALB and CloudFront. Essential concepts for SAA-C03 exam.
Related Exam Domains
- Domain 1: Design Secure Architectures
Key Takeaway
AWS Certificate Manager (ACM) is a service that issues and auto-renews SSL/TLS certificates for free. ACM certificates integrate with ALB, CloudFront, and API Gateway, but cannot be installed directly on EC2.
Exam Tip
Exam Essential: ACM public certificates are free and auto-renewed. However, they cannot be installed directly on EC2 (except Nitro Enclaves). DNS validation is recommended over email validation (supports auto-renewal). For CloudFront, certificates must be issued in us-east-1 (N. Virginia).
| Aspect | ACM Public Certificate | Imported Certificate |
|---|---|---|
| Cost | Free | Free (separate purchase cost) |
| Auto-Renewal | Yes (with DNS validation) | No (manual renewal) |
| EC2 Installation | Not possible | Not possible (same) |
| Supported Services | ALB, CloudFront, API Gateway, etc. | Same |
What is ACM?
Concept
AWS Certificate Manager (ACM) is a service that makes it easy to provision, manage, and deploy SSL/TLS certificates.
ACM Key Features:
├── Free public certificate issuance
├── Auto-renewal (with DNS validation)
├── One-click integration with AWS services
├── Import external certificates
└── Private CA operation (Private CA)
ACM Certificate Types
| Type | Description | Cost |
|---|---|---|
| ACM Public Certificate | Issued directly by ACM | Free |
| Imported Certificate | Issued by external CA and imported | Free (separate issuance cost) |
| ACM Private CA | Issues private certificates | $400/month + per-certificate cost |
Certificate Issuance Methods
Issuance Process
ACM Certificate Issuance Flow:
1. ACM Console → Request certificate
2. Enter domain name (example.com, *.example.com)
3. Select validation method (DNS or Email)
4. Complete domain ownership validation
5. Certificate issued
Domain Validation Methods
| Method | DNS Validation | Email Validation |
|---|---|---|
| How it Works | Add CNAME record to DNS | Approve via domain admin email |
| Auto-Renewal | Supported | Not supported |
| Recommended | Yes | Limited situations only |
| Route 53 | Auto record creation available | - |
Exam Tip
Exam Point: Using DNS validation allows ACM to automatically renew certificates. Email validation requires manual approval for each renewal.
DNS Validation Setup
DNS Validation Process:
1. Request certificate in ACM
2. ACM provides CNAME record values
- Name: _abc123.example.com
- Value: _xyz789.acm-validations.aws
3. Add CNAME record to DNS
- Route 53: "Create record in Route 53" button
- External DNS: Manually add record
4. ACM automatically verifies
5. Certificate issued
Wildcard Certificates
Wildcard Certificate Example:
├── *.example.com
│ ├── www.example.com ✅
│ ├── api.example.com ✅
│ ├── app.example.com ✅
│ └── sub.api.example.com ❌ (second-level subdomain)
│
└── Additional domains
└── example.com (root domain added separately)
ACM Integrated Services
Supported Services
Services that can use ACM certificates:
├── Elastic Load Balancer (ALB, NLB)
├── Amazon CloudFront
├── Amazon API Gateway
├── AWS App Runner
├── AWS Elastic Beanstalk
├── AWS Amplify
└── Amazon Cognito (User Pools)
Not Supported:
├── EC2 instances (cannot install directly)
├── On-premises servers
└── Other clouds
Applying ACM Certificate to ALB
ALB HTTPS Setup:
1. Issue certificate in ACM (same region)
2. Create/modify ALB listener
- Protocol: HTTPS
- Port: 443
- Certificate: Select ACM certificate
3. Choose security policy (TLS version)
4. Route to Target Group
Applying ACM Certificate to CloudFront
CloudFront HTTPS Setup:
1. Issue certificate in ACM (⚠️ us-east-1 required!)
2. CloudFront distribution settings
- Alternate Domain Names: example.com
- Custom SSL Certificate: Select ACM certificate
- Security Policy: TLSv1.2_2021 recommended
Exam Tip
Exam Essential: ACM certificates for CloudFront must be issued in the us-east-1 (N. Virginia) region. Certificates from other regions cannot be used with CloudFront!
Using HTTPS on EC2
Why Can't ACM Certificates Be Installed Directly on EC2?
The private key of ACM public certificates is managed by AWS and cannot be exported. Therefore, they cannot be installed directly on EC2 instances.
Methods to Use HTTPS on EC2
EC2 HTTPS Configuration Methods:
1. ALB + ACM (Recommended)
User → ALB(HTTPS) → EC2(HTTP)
- SSL termination at ALB
- EC2 handles HTTP only
- No certificate management needed
2. CloudFront + ALB + EC2
User → CloudFront(HTTPS) → ALB → EC2
- SSL termination at global edge
- Caching + HTTPS
3. Direct External Certificate Installation
User → EC2(HTTPS)
- Use external CA like Let's Encrypt
- Manual certificate management required
HTTPS Architecture with ALB
ALB + ACM Architecture:
Internet → ALB (HTTPS:443)
│
│ ACM Certificate
│ SSL Termination
↓
Target Group (HTTP:80)
│
┌────┼────┐
↓ ↓ ↓
EC2 EC2 EC2
Exam Tip
Exam Point: If HTTPS is needed for EC2, use the ALB + ACM combination. Terminate SSL at the ALB (SSL Termination), and use HTTP or HTTPS between ALB and EC2.
Certificate Auto-Renewal
Renewal Conditions
Auto-Renewal Conditions:
├── Using DNS validation
├── DNS record is valid
├── Certificate is associated with AWS service
└── Renewal attempts start 60 days before expiration
Auto-Renewal Not Available:
├── Using email validation
├── Imported certificates (external CA)
└── DNS record deleted
Renewal Monitoring
# Check certificate status with AWS CLI
aws acm describe-certificate \
--certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/xxx \
--query 'Certificate.{Status:Status,RenewalEligibility:RenewalEligibility}'
# Expiring certificate alerts
# Use CloudWatch Events/EventBridge
{
"source": ["aws.acm"],
"detail-type": ["ACM Certificate Approaching Expiration"]
}
Importing Certificates
Importing External Certificates
You can import existing certificates or certificates issued by other CAs into ACM.
Required for Import:
├── Certificate body (PEM format)
├── Certificate private key (PEM format)
└── Certificate chain (optional, PEM format)
Imported Certificate Considerations
| Aspect | ACM Issued | Imported Certificate |
|---|---|---|
| Auto-Renewal | Yes | No (manual renewal) |
| Expiration Alerts | Yes | Yes |
| EC2 Installation | No | No |
| Key Management | AWS managed | User managed |
Security Policies (TLS Versions)
ALB Security Policies
| Policy | TLS Versions | Recommended For |
|---|---|---|
| ELBSecurityPolicy-TLS13-1-2-2021-06 | TLS 1.3, 1.2 | Modern clients |
| ELBSecurityPolicy-TLS-1-2-2017-01 | TLS 1.2 | General recommendation |
| ELBSecurityPolicy-2016-08 | TLS 1.0, 1.1, 1.2 | Legacy compatibility |
CloudFront Security Policies
| Policy | TLS Versions | Description |
|---|---|---|
| TLSv1.2_2021 | TLS 1.2+ | Recommended |
| TLSv1.1_2016 | TLS 1.1+ | Legacy |
| TLSv1_2016 | TLS 1.0+ | Very old clients |
Exam Tip
Exam Point: TLS 1.2 or higher is recommended for security. TLS 1.2+ is required for PCI-DSS compliance. TLS 1.0 and 1.1 have security vulnerabilities and are not recommended.
ACM Private CA
What is Private CA?
ACM Private CA is a service that issues private certificates for internal organizational use.
Private CA Use Cases:
├── mTLS between internal APIs
├── Microservice communication encryption
├── IoT device authentication
├── Internal website HTTPS
└── Code/document signing
Cost
| Item | Cost |
|---|---|
| Private CA | $400/month |
| Certificate Issuance | $0.75/cert (over 1,000: $0.35) |
SAA-C03 Exam Focus Points
Common Question Types
| Scenario | Answer |
|---|---|
| "Free SSL certificate + auto-renewal" | ACM (DNS validation) |
| "Apply HTTPS to CloudFront" | Issue ACM certificate in us-east-1 |
| "Apply HTTPS to EC2" | ALB + ACM (cannot install directly) |
| "Use external certificate" | Import to ACM (no auto-renewal) |
| "Recommended domain validation method" | DNS validation (supports auto-renewal) |
| "Enforce TLS 1.2" | Configure security policy |
Common Pitfalls
❌ ACM certificates can be installed directly on EC2
→ Not possible (except Nitro Enclaves)
❌ CloudFront can use Seoul region ACM certificates
→ Only us-east-1 certificates can be used
❌ Email validation also supports auto-renewal
→ Only DNS validation supports auto-renewal
❌ Imported certificates are also auto-renewed
→ Only ACM-issued certificates are auto-renewed
❌ ACM certificates are paid
→ Public certificates are free (Private CA is paid)
Frequently Asked Questions (FAQ)
Q: Should I choose ACM or Let's Encrypt?
If using AWS services (ALB, CloudFront), choose ACM. If you need to install directly on EC2, use Let's Encrypt.
| Aspect | ACM | Let's Encrypt |
|---|---|---|
| Cost | Free | Free |
| Auto-Renewal | Yes (AWS managed) | Yes (certbot config) |
| EC2 Install | No | Yes |
| Management Ease | High | Low |
Q: Can multiple domains be included in one certificate?
Yes, when requesting a certificate in ACM, you can add up to 10 domains as SAN (Subject Alternative Names). Example: example.com, www.example.com, api.example.com
Q: How long does certificate issuance take?
DNS validation: Minutes after DNS record propagation (usually within 30 minutes) Email validation: Immediately after email approval
Q: What happens when a certificate expires?
When a certificate expires, HTTPS connections fail. Browsers display security warnings. With DNS validation, auto-renewal eliminates expiration concerns.
Q: Can certificates be shared across regions?
No, ACM certificates are managed per region. If you need certificates for the same domain in multiple regions, you must issue them separately in each region. However, CloudFront only uses us-east-1 certificates.
Summary
ACM is the easiest way to implement HTTPS on AWS:
- Free public certificates: Issue directly from ACM
- DNS validation recommended: Supports auto-renewal
- CloudFront: us-east-1 certificate required
- EC2: Use ALB + ACM combination
- Auto-renewal: AWS manages automatically with DNS validation