Skip to main content

ACM Certificate Transparency Logging Enabled

Overview

This check verifies that AWS Certificate Manager (ACM) certificates have Certificate Transparency (CT) logging enabled. Certificate Transparency is a public logging system that records when SSL/TLS certificates are issued, making it easier to detect misissued or fraudulent certificates. Imported certificates are excluded from this check since CT logging only applies to ACM-issued certificates.

Risk

Without Certificate Transparency logging enabled:

  • Fraudulent certificates may go undetected - Attackers could obtain unauthorized certificates for your domain without you knowing
  • Man-in-the-middle attacks become harder to detect - Malicious actors can intercept encrypted traffic using rogue certificates
  • Browser trust issues - Major browsers increasingly require CT logging for public certificates; disabling it may cause trust warnings
  • Delayed incident response - Without public logs, you lose visibility into certificate issuance events for your domains

Remediation Steps

Prerequisites

  • AWS account access with permission to modify ACM certificates
  • Permissions that include acm:UpdateCertificateOptions and acm:DescribeCertificate

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to Certificate Manager (search for "ACM" in the services search bar)
  3. Ensure you are in the correct region (us-east-1 or the region where your certificate exists)
  4. Find and select the certificate that failed the check
  5. Click Actions in the top right
  6. Select Edit transparency logging
  7. Toggle the setting to Enabled
  8. Click Save

Note: This option only appears for ACM-issued certificates, not imported certificates.

AWS CLI (optional)

Enable Certificate Transparency logging using the AWS CLI:

aws acm update-certificate-options \
    --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
    --options CertificateTransparencyLoggingPreference=ENABLED \
    --region us-east-1

Replace the certificate ARN with your actual certificate ARN.

To find your certificate ARN:

aws acm list-certificates --region us-east-1

To check the current CT logging status of a certificate:

aws acm describe-certificate \
    --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
    --region us-east-1 \
    --query 'Certificate.Options.CertificateTransparencyLoggingPreference'
CloudFormation (optional)

When creating or updating ACM certificates via CloudFormation, ensure the CertificateTransparencyLoggingPreference property is set to ENABLED:

AWSTemplateFormatVersion: '2010-09-09'
Description: ACM Certificate with Certificate Transparency logging enabled

Resources:
  Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: example.com
      SubjectAlternativeNames:
        - "*.example.com"
      ValidationMethod: DNS
      CertificateTransparencyLoggingPreference: ENABLED
      Tags:
        - Key: Name
          Value: example-certificate

Deploy the template:

aws cloudformation deploy \
    --template-file acm-certificate.yaml \
    --stack-name acm-certificate-stack \
    --region us-east-1

Important: If you omit CertificateTransparencyLoggingPreference from your template, CloudFormation defaults to ENABLED. Explicitly setting it ensures the configuration is clear and intentional.

Terraform (optional)

When creating ACM certificates via Terraform, set the certificate_transparency_logging_preference argument to ENABLED:

resource "aws_acm_certificate" "example" {
  domain_name       = "example.com"
  validation_method = "DNS"

  subject_alternative_names = [
    "*.example.com"
  ]

  options {
    certificate_transparency_logging_preference = "ENABLED"
  }

  tags = {
    Name = "example-certificate"
  }

  lifecycle {
    create_before_destroy = true
  }
}

Note: The default value for certificate_transparency_logging_preference is ENABLED, but explicitly setting it ensures your infrastructure-as-code is self-documenting and prevents accidental changes.

Verification

After enabling Certificate Transparency logging, verify the change:

  1. Go to Certificate Manager in the AWS Console
  2. Select the certificate you modified
  3. In the certificate details, look for Transparency logging
  4. Confirm it shows Enabled
CLI verification commands

Verify CT logging is enabled for a specific certificate:

aws acm describe-certificate \
    --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012 \
    --region us-east-1 \
    --query 'Certificate.Options'

Expected output:

{
    "CertificateTransparencyLoggingPreference": "ENABLED"
}

To check all certificates in a region:

for arn in $(aws acm list-certificates --region us-east-1 --query 'CertificateSummaryList[].CertificateArn' --output text); do
    echo "Certificate: $arn"
    aws acm describe-certificate --certificate-arn "$arn" --region us-east-1 \
        --query 'Certificate.Options.CertificateTransparencyLoggingPreference' --output text
done

Additional Resources

Notes

  • Imported certificates excluded: This check only applies to certificates issued by ACM. Imported certificates do not support CT logging configuration
  • Public certificates only: CT logging is relevant for public certificates used on internet-facing resources; private certificates used internally are not affected
  • No service interruption: Enabling CT logging does not affect your certificate's functionality or require re-validation
  • Propagation time: After enabling, it may take a few minutes for the change to reflect in monitoring tools
  • Browser requirements: Major browsers (Chrome, Safari, Firefox) require CT logging for certificates issued after certain dates; keeping it enabled ensures broad compatibility
  • Monitoring CT logs: Consider using tools like crt.sh to monitor Certificate Transparency logs for certificates issued for your domains