How to fully automate the provisioning of ACM certificates in CloudFormation

05 Oct, 2018
Xebia Background Header Wave

AWS Certificate Manager is a great service that eases the creation and renewal of certificates. After you request a certificate, it allows you two ways to prove that you own the domain. Either by clicking on an email sent to the administrative contact of the domain or by updating a record in DNS.
As we aim to automate the entire process, email validation method is not an option. It requires a human to click on a link. Validating through DNS is the way to go.
Since, June 2020 CloudFormation AWS::CertificateManager::Certificate allows you to specify the Route53 hosted zone, in which to insert the validation records.

How do I automate the provisioning of ACM certificates?

You can automate the provisioning of ACM certificates with DNS with a single resource. Below you see the required AWS::CertificateManager::Certificate resource:

    Type: AWS::CertificateManager::Certificate
      DomainName: !Ref DomainName
      ValidationMethod: DNS
        - DomainName: !Ref DomainName
          HostedZoneId: !Ref HostedZoneId

This will create the required DNS validation records for the domain in the specified route53 hosted zone.


With the newly provided support, you can automate the provisioning of AWS certificates through DNS. The trusty old custom provider cfn-certificate-provider which have been providing this functionality since October 2018, can now retire.
Got to here? You probably also like deploying secrets and deploying private key pairs with CloudFormation.

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.

Get in touch with us to learn more about the subject and related solutions

Explore related posts