Posted On: Aug 23, 2023

Enterprise, network and security admins can now use AWS Identity and Access Management (IAM) condition context keys with AWS Certificate Manager (ACM) to help ensure that users are issuing certificates that conform to their organization’s public key infrastructure (PKI) guidelines. For example, you can use condition keys to allow only DNS validation. Or, you can authorize which of your users can request certificates for specific domain names such as and/or wildcard names.

Using these new context keys, you can define how your ACM users customize certificate issuance parameters to authorize 1) a specific certificate validation method, 2) who can request certificates for specific domain names including wildcard names, 3) specific certificate key-algorithm(s), and 4) the request of public or private certificate type. Additionally, you can prevent users from disabling Certificate Transparency (CT) logging or requesting certificates from specific AWS Private Certificate Authorities.

You can distribute and enforce your condition keys across your users and accounts using either IAM or Service control polices (SCPs) from AWS Organizations. You can enforce organization-wide policies or have specific policies for organization units. For example, you can authorize your HR unit to issue certificates for the domain name while your IT department can only issue certificates for You can also enforce these policies at account creation through AWS CloudFormation

Learn more about this feature here and get started with ACM. This feature is available in all AWS Regions where ACM is available, including the AWS GovCloud (US) Regions.