Services integrated with Amazon Certificate Manager

Elastic Load Balancing automatically distributes your incoming application traffic across multiple Amazon EC2 instances. It detects unhealthy instances and reroutes traffic to healthy instances until the unhealthy instances have been restored. Elastic Load Balancing automatically scales its request handling capacity in response to incoming traffic. For more information about load balancing, see the Elastic Load Balancing User Guide.

In general, to serve secure content over SSL/TLS, load balancers require that SSL/TLS certificates be installed on either the load balancer or the back-end Amazon EC2 instance. ACM is integrated with Elastic Load Balancing to deploy ACM certificates on the load balancer. For more information, see Create an Application Load Balancer

Amazon CloudFront is a web service that speeds up distribution of your dynamic and static web content to end users by delivering your content from a worldwide network of edge locations. When an end user requests content that you're serving through CloudFront, the user is routed to the edge location that provides the lowest latency. This ensures that content is delivered with the best possible performance. If the content is currently at that edge location, CloudFront delivers it immediately. If the content is not currently at that edge location, CloudFront retrieves it from the Amazon S3 bucket or web server that you have identified as the definitive content source. For more information about CloudFront, see the Amazon CloudFront Developer Guide.

To serve secure content over SSL/TLS, CloudFront requires that SSL/TLS certificates be installed on either the CloudFront distribution or on the backed content source. ACM is integrated with CloudFront to deploy ACM certificates on the CloudFront distribution. For more information, see Getting an SSL/TLS Certificate.

Amazon Cognito provides authentication, authorization, and user management for your web and mobile applications. Users can sign in directly with your Amazon Web Services account credentials or through a third party such as Facebook, Amazon, Google, or Apple. For more information about Amazon Cognito, see Amazon Cognito Developer Guide.

When you configure a Cognito user pool to use an Amazon CloudFront proxy, CloudFront may put an ACM certificate in place to secure the custom domain. When this is the case, be aware that you must remove the certificate's association with CloudFront before you can delete it.

Elastic Beanstalk helps you deploy and manage applications in the Amazon Cloud without worrying about the infrastructure that runs those applications. Amazon Elastic Beanstalk reduces management complexity. You simply upload your application and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and health monitoring. Elastic Beanstalk uses the Elastic Load Balancing service to create a load balancer. For more information about Elastic Beanstalk, see the Amazon Elastic Beanstalk Developer Guide.

To choose a certificate, you must configure the load balancer for your application in the Elastic Beanstalk console. For more information, see Configuring Your Elastic Beanstalk Environment's Load Balancer to Terminate HTTPS.

App Runner is an Amazon service that provides a fast, simple, and cost-effective way to deploy from source code or a container image directly to a scalable and secure web application in the Amazon Cloud. You don't need to learn new technologies, decide which compute service to use, or know how to provision and configure Amazon resources. For more information about App Runner, see the Amazon App Runner Developer Guide.

When you associate custom domain names with your App Runner service, App Runner internally creates certificates that track domain validity. They're stored in ACM. App Runner doesn't delete these certificates for seven days after a domain is disassociated from your service or after the service is deleted. This entire process is automated and you don't need to add or manage any certificates yourself. For more information, see Managing custom domain names for an App Runner service in the Amazon App Runner Developer Guide.

With the proliferation of mobile devices and growth of the Internet of Things (IoT), it has become increasingly common to create APIs that can be used to access data and interact with back-end systems on Amazon. You can use API Gateway to publish, maintain, monitor, and secure your APIs. After you deploy your API to API Gateway, you can set up a custom domain name to simplify access to it. To set up a custom domain name, you must provide an SSL/TLS certificate. You can use ACM to generate or import the certificate. For more information about Amazon API Gateway, see the Amazon API Gateway Developer Guide.

Amazon Nitro Enclaves is an Amazon EC2 feature that allows you to create isolated execution environments, called enclaves, from Amazon EC2 instances. Enclaves are separate, hardened, and highly constrained virtual machines. They provide only secure local socket connectivity with their parent instance. They have no persistent storage, interactive access, or external networking. Users cannot SSH into an enclave, and the data and applications inside the enclave cannot be accessed by the parent instance's processes, applications, or users (including root or admin).

EC2 instances connected to Nitro Enclaves support ACM certificates. For more information, see Amazon Certificate Manager for Nitro Enclaves.

Amazon CloudFormation helps you model and set up your Amazon Web Services resources. You create a template that describes the Amazon resources that you want to use, such as Elastic Load Balancing or API Gateway. Then Amazon CloudFormation takes care of provisioning and configuring those resources for you. You don't need to individually create and configure Amazon resources and figure out what's dependent on what; Amazon CloudFormation handles all of that. ACM certificates are included as a template resource, which means that Amazon CloudFormation can request ACM certificates that you can use with Amazon services to enable secure connections. In addition, ACM certificates are included with many of the Amazon resources that you can set up with Amazon CloudFormation.

For general information about CloudFormation, see the Amazon CloudFormation User Guide. For information about ACM resources supported by CloudFormation, see AWS::CertificateManager::Certificate.

With the powerful automation provided by Amazon CloudFormation, it is easy to exceed your certificate quota, especially with new Amazon accounts. We recommend that you follow the ACM best practices for Amazon CloudFormation.

Amplify is a set of purpose-built tools and features that enables front-end web and mobile developers to quickly and easily build full-stack applications on Amazon. Amplify provides two services: Amplify Hosting and Amplify Studio. Amplify Hosting provides a git-based workflow for hosting full-stack serverless web apps with continuous deployment. Amplify Studio is a visual development environment that simplifies the creation of scalable, full-stack web and mobile apps. Use Studio to build your front-end UI with a set of ready-to-use UI components, create an app backend, and then connect the two together. For more information about Amplify, see the Amazon Amplify User Guide.

If you connect a custom domain to your application, the Amplify console issues an ACM certificate to secure it.

Amazon OpenSearch Service is a search and analytics engine for use cases such as log analytics, real-time application monitoring, and click stream analysis. For more information, see the Amazon OpenSearch Service Developer Guide.

When you create an OpenSearch Service cluster that contains a custom domain and endpoint, you can use ACM to provision the associated Application Load Balancer with a certificate.

Amazon Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). For more information about Network Firewall, see the Amazon Network Firewall Developer Guide.

Network Firewall firewall integrates with ACM for TLS inspection. If you use TLS inspection in Network Firewall, you must configure an ACM certificate for the decryption and re-encryption of the SSL/TLS traffic going through your firewall. For information about how Network Firewall works with ACM for TLS inspection, see Requirements for using SSL/TLS certificates with TLS inspection configurations in the Amazon Network Firewall Developer Guide.