Access Amazon Certificate Manager using an interface endpoint (Amazon PrivateLink) - Amazon Certificate Manager
ConsiderationsCreate an interface endpointCreate an endpoint policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Access Amazon Certificate Manager using an interface endpoint (Amazon PrivateLink)

You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Certificate Manager. You can access ACM as if it were in your VPC, without the use of an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. Instances in your VPC don't need public IP addresses to access ACM.

You establish this private connection by creating an interface endpoint, powered by Amazon PrivateLink. We create an endpoint network interface in each subnet that you enable for the interface endpoint. These are requester-managed network interfaces that serve as the entry point for traffic destined for ACM.

For more information, see Access Amazon Web Services services through Amazon PrivateLink in the Amazon PrivateLink Guide.

Considerations for ACM

Before you set up an interface endpoint for ACM, review Considerations in the Amazon PrivateLink Guide.

The following are considerations when using Amazon PrivateLink with ACM.

  • ACM supports making calls to all of its API actions through the interface endpoint.

  • Public certificates requested from ACM are acquired and issued from Amazon Trust Services. Communications between ACM and Amazon Trust Services take place over the public internet for ACM to receive these certificates.

Create an interface endpoint for ACM

You can create an interface endpoint for ACM using either the Amazon VPC console or the Amazon Command Line Interface (Amazon CLI). For more information, see Create an interface endpoint in the Amazon PrivateLink Guide and Amazon Certificate Manager endpoints and quotas in the Amazon Web Services General Reference.

Create an interface endpoint for ACM using the following service name:

com.amazonaws.region.acm

If you enable private DNS for the interface endpoint, you can make API requests to ACM using its default Regional DNS name. For example, acm.us-east-1.amazonaws.com.

Create an endpoint policy for your interface endpoint

An endpoint policy is an IAM resource that you can attach to an interface endpoint. The default endpoint policy allows full access to ACM through the interface endpoint. To control the access allowed to ACM from your VPC, attach a custom endpoint policy to the interface endpoint.

An endpoint policy specifies the following information:

  • The principals that can perform actions (Amazon Web Services accounts, IAM users, and IAM roles).

  • The actions that can be performed.

  • The resources on which the actions can be performed.

For more information, see Control access to services using endpoint policies in the Amazon PrivateLink Guide.

Example: VPC endpoint policy for ACM actions

The following is an example of a custom endpoint policy. When you attach this policy to your interface endpoint, it grants access to the listed ACM actions for all principals on all resources.

JSON
{
   "Statement": [
      {
         "Principal": "*",
         "Effect": "Allow",
         "Action": [
            "acm:ListCertificates",
            "acm:DescribeCertificate",
         ],
         "Resource":"*"
      }
   ]
}