SYSTEM Cited by 1 source
AWS Certificate Manager (ACM)¶
Definition¶
AWS Certificate Manager (ACM) is the AWS service for issuing, managing, and renewing TLS/SSL certificates. ACM provides:
- Public certificates — issued via Amazon's CA, for public-facing workloads.
- Private certificates — via ACM Private CA, for internal-only workloads.
- Automatic renewal — managed certificates auto-renew before expiration.
In cyber-resilience designs, ACM is part of the rotate-or-re-issue leg of the Rebuild-Restore-Rotate framework — certificates that may have been compromised during the event window are renewed/re-issued as part of recovery.
Verbatim from the canonicalising source:
"AWS Secrets Manager rotation, IAM Identity Center session revocation, AWS Certificate Manager renewal, and workload-specific rotation hooks are components most customers already have in some form. The cyber recovery capability is the ability to invoke that rotation comprehensively and verify that nothing was missed." (Source: sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events)
Role in cyber-resilience¶
Certificates are part of the rotate-or-re-issue category in Rebuild-Restore-Rotate:
"Rotate or re-issue: IAM access keys, database passwords, API keys, certificates, OAuth tokens, SSH keys"
Why certificates are in the rotate category:
- Private keys may be exposed during a cyber event — even if not exfiltrated, the assumption is they cannot be carried forward.
- Reissue cost is low — ACM-managed certificates can be reissued without manual key generation.
- Validity windows are short — typical TLS certificates are measured in months/years, so frequent re-issuance is normal operational behaviour.
What ACM provides for recovery¶
- Programmatic re-issuance — request new certificates via API as part of the rebuild process.
- Domain validation — public certificates require DNS validation (which the rebuilt environment can do once DNS is in place).
- Integration with AWS services — load balancers, CloudFront, API Gateway, Lambda@Edge automatically pick up renewed certificates.
- ACM Private CA — for internal certificates; an ACM Private CA in the recovery account can issue new internal certificates as part of rebuild.
Operational considerations¶
Certificate inventory¶
Cyber-resilience requires knowing which certificates exist so they can all be re-issued:
- ACM has a certificate listing API; automate inventory.
- Workload-specific certificates (e.g. JWT signing keys not in ACM) also need to be inventoried separately.
- Certificate Manager doesn't cover all certificate types in use — e.g. mTLS client certificates issued by application-layer CAs.
Renewal vs re-issuance¶
- Renewal — extending the lifetime of an existing certificate (same key); not appropriate for cyber recovery because the key is suspect.
- Re-issuance — generating a new certificate with a new key; the cyber-resilience-correct operation.
ACM's auto-renewal is renewal, which doesn't satisfy cyber- resilience. Manual re-issuance with new keys is the recovery operation.
Composition with other rotate-leg primitives¶
| Primitive | What it rotates |
|---|---|
| AWS Secrets Manager | Database passwords, API keys |
| IAM Identity Center session revocation | Active SSO sessions |
| AWS Certificate Manager | TLS/SSL certificates |
| Workload-specific rotation hooks | Application-layer secrets |
The cyber-resilience requirement is invoke all of these comprehensively during recovery, with verification that nothing was missed.
Seen in¶
- sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events — canonical wiki reference; first wiki canonicalisation as a dedicated system page; named in the Rebuild-Restore-Rotate framework's rotate-leg primitive list; certificates explicitly named in the rotate category.
Related¶
- systems/aws-secrets-manager — sibling rotate-leg primitive.
- concepts/rebuild-restore-rotate-framework — the framework this primitive serves.
- concepts/cyber-resilience — the parent posture.