Using condition keys with ACM - Amazon Certificate Manager
Supported conditions for ACMExample 1: Restricting validation methodExample 2: Preventing wildcard domainsExample 3: Restricting certificate domainsExample 4: Restricting key algorithmExample 5: Restricting certificate authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using condition keys with ACM

Amazon Certificate Manager uses Amazon Identity and Access Management (IAM) condition keys to limit access to certificate requests. With condition keys from IAM policies or Service Control Policies (SCP) you can create certificate requests that conform to your organization's guidelines.

Note

Combine ACM condition keys with Amazon global condition keys such as aws:PrincipalArn to further restrict actions to specific users or roles.

Supported conditions for ACM

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

ACM API operations and supported conditions
Condition Key Supported ACM API Operations Type Description

acm:ValidationMethod

RequestCertificate

String (EMAIL, DNS)

Filter requests based on ACM validation method

acm:DomainNames

RequestCertificate

ArrayOfString

Filter based on domain names in the ACM request

acm:KeyAlgorithm

RequestCertificate

String

Filter requests based on ACM key algorithm and size

acm:CertificateTransparencyLogging

RequestCertificate

String (ENABLED, DISABLED)

Filter requests based on ACM certificate transparency logging preference

acm:CertificateAuthority

RequestCertificate

ARN

Filter requests based on certificate authorities in the ACM request

Example 1: Restricting validation method

The following policy denies new certificate requests using the Email Validation method except for a request made using the arn:aws:iam::123456789012:role/AllowedEmailValidation role.


{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringLike" : {
                "acm:ValidationMethod":"EMAIL"
            },
            "ArnNotLike": {
                "aws:PrincipalArn": [ "arn:aws:iam::123456789012:role/AllowedEmailValidation"]
            }
        }
    }
}

Example 2: Preventing wildcard domains

The following policy denies any new ACM certificate request that uses wildcard domains.


{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition": {
            "ForAnyValue:StringLike": {
                "acm:DomainNames": [
                    "${*}.*"
                ]
            }
        }
    }
}

Example 3: Restricting certificate domains

The following policy denies any new ACM certificate request for domains that don't end with *.amazonaws.com


{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition": {
            "ForAnyValue:StringNotLike": {
                "acm:DomainNames": ["*.amazonaws.com"]
            }
        }
    }
}

The policy could be further restricted to specific subdomains. This policy would only allow requests where every domain matches at least one of the conditional domain names.


{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition": {
            "ForAllValues:StringNotLike": {
                "acm:DomainNames": ["support.amazonaws.com", "developer.amazonaws.com"]
            }
        }
    }
}

Example 4: Restricting key algorithm

The following policy uses the condition key StringNotLike to allow only certificates requested with the ECDSA 384 bit (EC_secp384r1) key algorithm.


{
    "Version":"2012-10-17",
        "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringNotLike" : {
                "acm:KeyAlgorithm":"EC_secp384r1"
            }
        }
    }
}

The following policy uses the condition key StringLike and wildcard * matching to prevent requests for new certificates in ACM with any RSA key algorithm.


{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringLike" : {
                "acm:KeyAlgorithm":"RSA*"
            }
        }
    }
}

Example 5: Restricting certificate authority

The following policy would only allow requests for private certificates using the provided Private Certificate Authority (PCA) ARN. 


{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringNotLike": {
                "acm:CertificateAuthority":" arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
            }
        }
    }
}

This policy uses the acm:CertificateAuthority condition to allow only requests for publicly trusted certificates issued by Amazon Trust Services. Setting the Certificate Authority ARN to false prevents requests for private certificates from PCA.


{
"Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "Null" : {
                "acm:CertificateAuthority":"false"
            }
        }
    }
}