Supported conditions for ACM Example 1: Restricting validation method Example 2: Preventing wildcard domains Example 3: Restricting certificate domains Example 4: Restricting key algorithm Example 5: Restricting certificate authority

Using condition keys with ACM

AWS Certificate Manager uses AWS Identity and Access Management (IAM) condition keys to limit access to certificate requests. With condition keys from IAM policies or Service Control Policies (SCP) you can create certificate requests that conform to your organization's guidelines.

Note

Combine ACM condition keys with AWS global condition keys such as aws:PrincipalArn to further restrict actions to specific users or roles.

Supported conditions for ACM

Use the scroll bars to see the rest of the table.

ACM API operations and supported conditions
Condition Key	Supported ACM API Operations	Type	Description
`acm:ValidationMethod`	RequestCertificate	String (`EMAIL`, `DNS`)	Filter requests based on ACM validation method
`acm:DomainNames`	RequestCertificate	ArrayOfString	Filter based on domain names in the ACM request
`acm:KeyAlgorithm`	RequestCertificate	String	Filter requests based on ACM key algorithm and size
`acm:CertificateTransparencyLogging`	RequestCertificate	String (`ENABLED`, `DISABLED`)	Filter requests based on ACM certificate transparency logging preference
`acm:CertificateAuthority`	RequestCertificate	ARN	Filter requests based on certificate authorities in the ACM request

Example 1: Restricting validation method

The following policy denies new certificate requests using the Email Validation method except for a request made using the arn:aws:iam::123456789012:role/AllowedEmailValidation role.



{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringLike" : {
                "acm:ValidationMethod":"EMAIL"
            },
            "ArnNotLike": {
                "aws:PrincipalArn": [ "arn:aws:iam::123456789012:role/AllowedEmailValidation"]
            }
        }
    }
}

Example 2: Preventing wildcard domains

The following policy denies any new ACM certificate request that uses wildcard domains.



{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition": {
            "ForAnyValue:StringLike": {
                "acm:DomainNames": [
                    "${*}.*"
                ]
            }
        }
    }
}

Example 3: Restricting certificate domains

The following policy denies any new ACM certificate request for domains that don't end with *.amazonaws.com



{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition": {
            "ForAnyValue:StringNotLike": {
                "acm:DomainNames": ["*.amazonaws.com"]
            }
        }
    }
}

The policy could be further restricted to specific subdomains. This policy would only allow requests where every domain matches at least one of the conditional domain names.



{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition": {
            "ForAllValues:StringNotLike": {
                "acm:DomainNames": ["support.amazonaws.com", "developer.amazonaws.com"]
            }
        }
    }
}

Example 4: Restricting key algorithm

The following policy uses the condition key StringNotLike to allow only certificates requested with the ECDSA 384 bit (EC_secp384r1) key algorithm.



{
    "Version":"2012-10-17",
        "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringNotLike" : {
                "acm:KeyAlgorithm":"EC_secp384r1"
            }
        }
    }
}

The following policy uses the condition key StringLike and wildcard * matching to prevent requests for new certificates in ACM with any RSA key algorithm.



{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringLike" : {
                "acm:KeyAlgorithm":"RSA*"
            }
        }
    }
}

Example 5: Restricting certificate authority

The following policy would only allow requests for private certificates using the provided Private Certificate Authority (PCA) ARN.



{
    "Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "StringNotLike": {
                "acm:CertificateAuthority":" arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
            }
        }
    }
}

This policy uses the acm:CertificateAuthority condition to allow only requests for publicly trusted certificates issued by Amazon Trust Services. Setting the Certificate Authority ARN to false prevents requests for private certificates from PCA.



{
"Version":"2012-10-17",
    "Statement":{
        "Effect":"Deny",
        "Action":"acm:RequestCertificate",
        "Resource":"*",
        "Condition":{
            "Null" : {
                "acm:CertificateAuthority":"false"
            }
        }
    }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS managed policies

Using Service-linked roles