Posted On: May 26, 2021

AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports using S3 Block Public Access when storing certificate revocation links (CRL) in S3 buckets.

Private CAs create CRLs that one end of a TLS connection uses to ensure that the certificate provided by the other end of the TLS connection has not been revoked. Previously, CRLS generated by ACM Private CA had to be in stored in public buckets, which was counter to best practices. With this feature and some additional configuration, customers can follow best practices for limiting access to their buckets while still making CRLs available to clients that use SSL/TLS to identify endpoints and establish secure network connections. To learn about configuring the CRL, please read the Private CA documentation before you configure S3 Block Public Access on a bucket storing a CRL to understand how to configure your PKI to support these settings.

ACM Private CA is a managed private CA service that helps you easily and securely manage the lifecycle of your private certificates. ACM Private CA provides you a highly-available private CA service without the upfront investment and ongoing maintenance costs of operating your own private CA. 

For a list of regions where ACM Private CA is available, see AWS Regions and Endpoints.

To get started visit the ACM Private CA Getting Started page to learn more about ACM Private CA.