# Monitor and log AWS Certificate Manager
Monitoring is an important part of maintaining the reliability, availability, and performance of AWS Certificate Manager and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs.
The following topics describe AWS cloud-monitoring tools available for use with ACM.
**Topics**
+ [Using Amazon EventBridge](cloudwatch-events.md)
+ [Using CloudTrail with AWS Certificate Manager](cloudtrail.md)
+ [Supported CloudWatch metrics](cloudwatch-metrics.md)
# Using Amazon EventBridge
You can use [Amazon EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/) (formerly CloudWatch Events) to automate your AWS services and respond automatically to system events such as application availability issues or resource changes. Events from AWS services, including ACM, are delivered to Amazon EventBridge in near-real time. You can use events to trigger targets including AWS Lambda functions, AWS Batch jobs, Amazon SNS topics, and many others. For more information, see [What Is Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html)
**Topics**
+ [Amazon EventBridge support for ACM](supported-events.md)
+ [Initiating actions with Amazon EventBridge in ACM](example-actions.md)
# Amazon EventBridge support for ACM
This topic lists and describes the ACM related events supported by Amazon EventBridge.
## ACM Certificate Approaching Expiration event
ACM sends daily expiration events for all active certificates (public, private and imported) starting 45 days prior to expiration for private/imported certificates and 30 days prior to expiration for public certificates. This timing can be changed using the [PutAccountConfiguration](https://docs.aws.amazon.com/acm/latest/APIReference/API_PutAccountConfiguration.html) action of the ACM API.
ACM automatically initiates renewal of eligible certificates that it issued, but imported certificates need to be reissued and reimported prior to expiration to avoid outages. For more information, see [Reimporting a certificate](https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html#reimport-certificate-api). You can use expiration events to set up automation to reimport certificates into ACM. For an example of automation using AWS Lambda, see [Initiating actions with Amazon EventBridge in ACM](example-actions.md).
*ACM Certificate Approaching Expiration* events have the following structure.
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Approaching Expiration",
"source": "aws.acm",
"account": "account",
"time": "2020-09-30T06:51:08Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"DaysToExpiry": 31,
"CommonName": "example.com"
}
}
```
## ACM Certificate Expired event
**Note**
Certificate Expired events aren't available for [imported certificates](import-certificate.md).
Customers can listen on this event to alert them if an ACM issued public or private certificate in their account expires.
*ACM Certificate Expired* events have the following structure.
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Expired",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE",
"CommonName": "example.com",
"DomainValidationMethod" : "EMAIL" | "DNS",
"CertificateCreatedDate" : "2018-12-22T18:43:48Z",
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"InUse" : TRUE | FALSE,
"Exported" : TRUE | FALSE
}
}
```
## ACM Certificate Available event
Customers can listen on this event to be notified when a managed public or private certificate is ready for use. The event is published on issuance, renewal, and import. For a private certificate, once it becomes available, customer action is still required to deploy it to hosts.
*ACM Certificate Available* events have the following structure.
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Available",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
“Action” : "ISSUANCE" | "RENEWAL" | "IMPORT" | "REIMPORT",
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE" | "IMPORTED",
"CommonName": "example.com",
"DomainValidationMethod" : "EMAIL" | "DNS",
"CertificateCreatedDate" : "2019-12-22T18:43:48Z",
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"DaysToExpiry" : 198,
"InUse" : TRUE | FALSE,
"Exported" : TRUE | FALSE
}
}
```
## ACM Certificate Renewal Action Required event
**Note**
Certificate Renewal Action Required events aren't available for [imported certificates](import-certificate.md).
Customers can listen on this event to be alerted when a customer action must be taken before a certificate can be renewed. For instance, if a customer adds CAA records that prevent ACM from renewing a certificate, ACM publishes this event when automatic renewal fails at 45 days before expiration for private certificates and 30 days before expiration for public certificates. If no customer action is taken, ACM makes further renewal attempts at 30 days (for private only), 15 days, 3 days, and 1 day, or until customer action is taken, the certificate expires, or the certificate is no longer eligible for renewal. An event is published for each of these renewal attempts.
*ACM Certificate Renewal Action Required* events have the following structure.
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Renewal Action Required",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE",
"CommonName": "example.com",
"DomainValidationMethod" : "EMAIL" | "DNS",
"RenewalStatusReason" : "CAA_ERROR" | "PENDING_DOMAIN_VALIDATION" | "NO_AVAILABLE_CONTACTS" | "ADDITIONAL_VERIFICATION_REQUIRED" | "DOMAIN_NOT_ALLOWED" | "INVALID_PUBLIC_DOMAIN" | "DOMAIN_VALIDATION_DENIED" | "PCA_LIMIT_EXCEEDED" | "PCA_INVALID_ARN" | "PCA_INVALID_STATE" | "PCA_REQUEST_FAILED" | "PCA_NAME_CONSTRAINTS_VALIDATION" | "PCA_RESOURCE_NOT_FOUND" | "PCA_INVALID_ARGS" | "PCA_INVALID_DURATION" | "PCA_ACCESS_DENIED" | "SLR_NOT_FOUND" | "OTHER",
"DaysToExpiry": 30,
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"InUse" : TRUE | FALSE,
"Exported" : TRUE | FALSE
}
}
```
## ACM Certificate Revoked event
Customers can listen on this event to alert them if an ACM issued public or private certificate in their account is revoked.
**Note**
Only exported certificates can be revoked. Imported certificates cannot be revoked via revoke-certificate.
*ACM Certificate Revoked* events have the following structure.
```
{
"version": "0",
"id": "id",
"detail-type": "ACM Certificate Revoked",
"source": "aws.acm",
"account": "account",
"time": "2019-12-22T18:43:48Z",
"region": "region",
"resources": [
"arn:aws:acm:region:account:certificate/certificate_ID"
],
"detail": {
"CertificateType" : "AMAZON_ISSUED" | "PRIVATE",
"CommonName": "example.com",
"CertificateExpirationDate" : "2019-12-22T18:43:48Z",
"Exportable": TRUE | FALSE
}
}
```
## AWS health events
AWS health events are generated for ACM certificates that are eligible for renewal. For information about renewal eligibility, see [Managed certificate renewal in AWS Certificate Manager](managed-renewal.md).
Health events are generated in two scenarios:
+ On successful renewal of a public or private certificate.
+ When a customer must take action for a renewal to occur. This may mean choosing a link in an email message (for email-validated certificates), or resolving an error. One of the following event codes is included with each event. The codes are exposed as variables that you can use for filtering.
+ `AWS_ACM_RENEWAL_STATE_CHANGE` (the certificate has been renewed, has expired, or is due to expire)
+ `CAA_CHECK_FAILURE` (CAA check failed)
+ `AWS_ACM_RENEWAL_FAILURE` (for certificates signed by a private CA)
Health events have the following structure. In this example, an `AWS_ACM_RENEWAL_STATE_CHANGE` event has been generated.
```
{
"source":[
"aws.health"
],
"detail-type":[
"AWS Health Event"
],
"detail":{
"service":[
"ACM"
],
"eventTypeCategory":[
"scheduledChange"
],
"eventTypeCode":[
"AWS_ACM_RENEWAL_STATE_CHANGE"
]
}
}
```
# Initiating actions with Amazon EventBridge in ACM
You can create Amazon EventBridge rules based on these events and use the Amazon EventBridge console to configure actions that take place when the events are detected. This section provides sample procedures for configuring Amazon EventBridge rules and resulting actions.
**Topics**
+ [Responding to an event with Amazon SNS](event-sns-response.md)
+ [Responding to an event with a Lambda function](event-lambda-response.md)
# Responding to an event with Amazon SNS
This section shows how to configure Amazon SNS to send a text notification whenever ACM generates a health event.
Complete the following procedure to configure a response.
**To create a Amazon EventBridge rule and trigger an action**
1. Create an Amazon EventBridge rule. For more information, see [Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html).
1. In the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/), navigate to the **Events** > **Rules** page and choose **Create rule**.
1. On the **Create rule** page, select **Event Pattern**.
1. For **Service Name**, choose **Health** from the menu.
1. For **Event Type**, choose **Specific Health events**.
1. Select **Specific service(s)** and choose **ACM** from the menu.
1. Select **Specific event type category(s)** and choose **accountNotification**.
1. Choose **Any event type code**.
1. Choose **Any resource**.
1. In the **Event pattern preview** editor, paste the JSON pattern emitted by the event. This example uses the pattern from the [AWS health events](supported-events.md#health-event) section.
```
{
"source":[
"aws.health"
],
"detail-type":[
"AWS Health Event"
],
"detail":{
"service":[
"ACM"
],
"eventTypeCategory":[
"scheduledChange"
],
"eventTypeCode":[
"AWS_ACM_RENEWAL_STATE_CHANGE"
]
}
}
```
1. Configure an action.
In the **Targets** section, you can choose from among many services that can immediately consume your event, such as Amazon Simple Notification Service (SNS), or you can choose **Lambda function** to pass the event to customized executable code. For an example of an AWS Lambda implementation, see [Responding to an event with a Lambda function](event-lambda-response.md).
# Responding to an event with a Lambda function
This procedure demonstrates how to use AWS Lambda to listen on Amazon EventBridge, create notifications with Amazon Simple Notification Service (SNS), and publish findings to AWS Security Hub CSPM, providing visibility to administrators and security teams.
**To set up a Lambda function and IAM role**
1. First configure an AWS Identity and Access Management (IAM) role and define the permissions needed by the Lambda function. This security best practice gives you flexibility in designating who has authorization to call the function, and in limiting the permissions granted to that person. It is not recommended to run most AWS operations directly under a user account and especially not under an administrator account.
Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Use the JSON policy editor to create the policy defined in the template below. Provide your own Region and AWS account details. For more information, see [Creating policies on the JSON tab](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html#access_policies_create-json-editor).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LambdaCertificateExpiryPolicy1",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-1:123456789012:*"
},
{
"Sid": "LambdaCertificateExpiryPolicy2",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/handle-expiring-certificates:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy3",
"Effect": "Allow",
"Action": [
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:ListCertificates",
"acm:ListTagsForCertificate"
],
"Resource": "*"
},
{
"Sid": "LambdaCertificateExpiryPolicy4",
"Effect": "Allow",
"Action": "SNS:Publish",
"Resource": "*"
},
{
"Sid": "LambdaCertificateExpiryPolicy5",
"Effect": "Allow",
"Action": [
"SecurityHub:BatchImportFindings",
"SecurityHub:BatchUpdateFindings",
"SecurityHub:DescribeHub"
],
"Resource": "*"
},
{
"Sid": "LambdaCertificateExpiryPolicy6",
"Effect": "Allow",
"Action": "cloudwatch:ListMetrics",
"Resource": "*"
}
]
}
```
------
1. Create an IAM role and attach the new policy to it. For information about creating an IAM role and attaching a policy, see [Creating a role for an AWS service (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console).
1. Open the AWS Lambda console at [https://console.aws.amazon.com/lambda/](https://console.aws.amazon.com/lambda/).
1. Create the Lambda function. For more information, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html). Complete the following steps:
1. On the **Create function** page, choose the **Author from scratch** option to create the function.
1. Specify a name such as "handle-expiring-certificates" in the **Function name** field.
1. Choose Python 3.8 from the **Runtime** list.
1. Expand **Change default execution role** and choose **Use an existing role**.
1. Choose the role you previously created from the **Existing role** list.
1. Choose **Create function**.
1. Under **Function code**, insert the following code:
```
# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: MIT-0
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this
# software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify,
# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
import json
import boto3
import os
from datetime import datetime, timedelta, timezone
# -------------------------------------------
# setup global data
# -------------------------------------------
utc = timezone.utc
# make today timezone aware
today = datetime.now().replace(tzinfo=utc)
# set up time window for alert - default to 45 if its missing
if os.environ.get('EXPIRY_DAYS') is None:
expiry_days = 45
else:
expiry_days = int(os.environ['EXPIRY_DAYS'])
expiry_window = today + timedelta(days = expiry_days)
def lambda_handler(event, context):
# if this is coming from the ACM event, its for a single certificate
if (event['detail-type'] == "ACM Certificate Approaching Expiration"):
response = handle_single_cert(event, context.invoked_function_arn)
return {
'statusCode': 200,
'body': response
}
def handle_single_cert(event, context_arn):
cert_client = boto3.client('acm')
cert_details = cert_client.describe_certificate(CertificateArn=event['resources'][0])
result = 'The following certificate is expiring within ' + str(expiry_days) + ' days: ' + cert_details['Certificate']['DomainName']
# check the expiry window before logging to Security Hub and sending an SNS
if cert_details['Certificate']['NotAfter'] < expiry_window:
# This call is the text going into the SNS notification
result = result + ' (' + cert_details['Certificate']['CertificateArn'] + ') '
# this call is publishing to SH
result = result + ' - ' + log_finding_to_sh(event, cert_details, context_arn)
# if there's an SNS topic, publish a notification to it
if os.environ.get('SNS_TOPIC_ARN') is None:
response = result
else:
sns_client = boto3.client('sns')
response = sns_client.publish(TopicArn=os.environ['SNS_TOPIC_ARN'], Message=result, Subject='Certificate Expiration Notification')
return result
def log_finding_to_sh(event, cert_details, context_arn):
# setup for security hub
sh_region = get_sh_region(event['region'])
sh_hub_arn = "arn:aws:securityhub:{0}:{1}:hub/default".format(sh_region, event['account'])
sh_product_arn = "arn:aws:securityhub:{0}:{1}:product/{1}/default".format(sh_region, event['account'])
# check if security hub is enabled, and if the hub arn exists
sh_client = boto3.client('securityhub', region_name = sh_region)
try:
sh_enabled = sh_client.describe_hub(HubArn = sh_hub_arn)
# the previous command throws an error indicating the hub doesn't exist or lambda doesn't have rights to it so we'll stop attempting to use it
except Exception as error:
sh_enabled = None
print ('Default Security Hub product doesn\'t exist')
response = 'Security Hub disabled'
# This is used to generate the URL to the cert in the Security Hub Findings to link directly to it
cert_id = right(cert_details['Certificate']['CertificateArn'], 36)
if sh_enabled:
# set up a new findings list
new_findings = []
# add expiring certificate to the new findings list
new_findings.append({
"SchemaVersion": "2018-10-08",
"Id": cert_id,
"ProductArn": sh_product_arn,
"GeneratorId": context_arn,
"AwsAccountId": event['account'],
"Types": [
"Software and Configuration Checks/AWS Config Analysis"
],
"CreatedAt": event['time'],
"UpdatedAt": event['time'],
"Severity": {
"Original": '89.0',
"Label": 'HIGH'
},
"Title": 'Certificate expiration',
"Description": 'cert expiry',
'Remediation': {
'Recommendation': {
'Text': 'A new certificate for ' + cert_details['Certificate']['DomainName'] + ' should be imported to replace the existing imported certificate before expiration',
'Url': "https://console.aws.amazon.com/acm/home?region=" + event['region'] + "#/?id=" + cert_id
}
},
'Resources': [
{
'Id': event['id'],
'Type': 'ACM Certificate',
'Partition': 'aws',
'Region': event['region']
}
],
'Compliance': {'Status': 'WARNING'}
})
# push any new findings to security hub
if new_findings:
try:
response = sh_client.batch_import_findings(Findings=new_findings)
if response['FailedCount'] > 0:
print("Failed to import {} findings".format(response['FailedCount']))
except Exception as error:
print("Error: ", error)
raise
return json.dumps(response)
# function to setup the sh region
def get_sh_region(event_region):
# security hub findings may need to go to a different region so set that here
if os.environ.get('SECURITY_HUB_REGION') is None:
sh_region_local = event_region
else:
sh_region_local = os.environ['SECURITY_HUB_REGION']
return sh_region_local
# quick function to trim off right side of a string
def right(value, count):
# To get right part of string, use negative first index in slice.
return value[-count:]
```
1. Under **Environment variables**, choose **Edit** and optionally add the following variables.
+ (Optional) EXPIRY\$1DAYS
Specifies how much lead time, in days, before the certificate expiration notice is sent. The function defaults to 45 days, but you can specify custom values.
+ (Optional) SNS\$1TOPIC\$1ARN
Specifies an ARN for an Amazon SNS. Provide the full ARN in the format of arn:aws:sns:**:**:**.
+ (Optional) SECURITY\$1HUB\$1REGION
Specifies an AWS Security Hub CSPM in a different Region. If this is not specified, the Region of the running Lambda function is used. If the function is run in multiple Regions, it may be desirable to have all certificate messages go to Security Hub CSPM in a single Region.
1. Under **Basic settings**, set **Timeout** to 30 seconds.
1. At the top of the page, choose **Deploy**.
Complete the tasks in the following procedure to begin using this solution.
**To automate an email notice of expiration**
In this example, we provide a single email for each expiring certificate at the moment the event is raised through Amazon EventBridge. By default, ACM raises an event each day for a certificate that is 45 days or less from expiration. (This period can be customized using the [PutAccountConfiguration](https://docs.aws.amazon.com/acm/latest/APIReference/API_PutAccountConfiguration.html) operation of the ACM API.) Each of these events triggers the following cascade of automated actions:
```
ACM raises Amazon EventBridge event →
>>>>>>> events
Event matches Amazon EventBridge rule →
Rule calls Lambda function →
Function sends SNS email and logs a Finding in Security Hub CSPM
```
1. Create the Lambda function and configure permissions. (Already completed – see [To set up a Lambda function and IAM role](#lambda-setup)).
1. Create a *standard* SNS topic for the Lambda function to use to send out notifications. For more information, see [Creating an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html).
1. Subscribe any interested parties to the new SNS topic. For more information, see [Subscribing to an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-topic.html).
1. Create an Amazon EventBridge rule to trigger the Lambda function. For more information, see [Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html).
In the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/), navigate to the **Events** > **Rules** page and choose **Create rule**. Specify **Service Name**, **Event Type**, and **Lambda function**. In the **Event Pattern preview** editor, paste the following code:
```
{
"source": [
"aws.acm"
],
"detail-type": [
"ACM Certificate Approaching Expiration"
]
}
```
An event such as Lambda receives is displayed under **Show sample event(s)**:
```
{
"version": "0",
"id": "9c95e8e4-96a4-ef3f-b739-b6aa5b193afb",
"detail-type": "ACM Certificate Approaching Expiration",
"source": "aws.acm",
"account": "123456789012",
"time": "2020-09-30T06:51:08Z",
"region": "us-east-1",
"resources": [
"arn:aws:acm:us-east-1:123456789012:certificate/61f50cd4-45b9-4259-b049-d0a53682fa4b"
],
"detail": {
"DaysToExpiry": 31,
"CommonName": "My Awesome Service"
}
}
```
**To clean up**
Once you no longer need the example configuration, or any configuration, it is a best practice to remove all traces of it to avoid security problems and unexpected future charges:
+ IAM policy and role
+ Lambda function
+ CloudWatch Events rule
+ CloudWatch Logs associated with Lambda
+ SNS Topic
# Using CloudTrail with AWS Certificate Manager
AWS Certificate Manager is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in ACM. CloudTrail is enabled by default on your AWS account. CloudTrail captures API calls for ACM as events, including calls from the ACM console and code calls to the ACM API operations. If you configure a *trail*, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for ACM. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**.
Using the information collected by CloudTrail, you can determine the request that was made to ACM, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html). When supported event activity occurs in ACM, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account.
Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs.
For more information about CloudTrail, consult the following documentation:
+ [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
**Topics**
+ [ACM API actions supported in CloudTrail logging](acm-supported-actions-in-cloudtrail.md)
+ [Logging API calls for integrated services](ct-related.md)
# ACM API actions supported in CloudTrail logging
ACM supports logging the following actions as events in CloudTrail log files:
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with AWS account root user or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service
For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
The following sections provide example logs for the supported API operations.
+ [Adding tags to a certificate ([AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html))](#ct-acm-addtags)
+ [Deleting a certificate ([DeleteCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DeleteCertificate.html))](#ct-acm-delete)
+ [Describing a certificate ([DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html))](#ct-acm-describe)
+ [Exporting a certificate ([ExportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExportCertificate.html))](#ct-acm-export)
+ [Import a certificate ([ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html))](#ct-acm-import)
+ [Listing certificates ([ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html))](#ct-acm-list)
+ [Listing tags for a certificate ([ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html))](#ct-acm-listtags)
+ [Removing tags from a certificate ([RemoveTagsFromCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RemoveTagsFromCertificate.html))](#ct-acm-removetag)
+ [Requesting a certificate ([RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html))](#ct-acm-request)
+ [Resending validation email ([ResendValidationEmail](https://docs.aws.amazon.com/acm/latest/APIReference/API_ResendValidationEmail.html))](#ct-acm-resendmail)
+ [Retrieving a certificate ([GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html))](#ct-acm-get)
+ [Searching certificates ([SearchCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_SearchCertificates.html))](#ct-acm-search)
## Adding tags to a certificate ([AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html))
The following CloudTrail example shows the results of a call to the [AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:53:53Z",
"eventSource":"acm.amazonaws.com",
"eventName":"AddTagsToCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"tags":[
{
"value":"Alice",
"key":"Admin"
}
],
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Deleting a certificate ([DeleteCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DeleteCertificate.html))
The following CloudTrail example shows the results of a call to the [DeleteCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DeleteCertificate.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:26Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DeleteCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Describing a certificate ([DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html))
The following CloudTrail example shows the results of a call to the [DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html) API.
**Note**
The CloudTrail log for the `DescribeCertificate` operation does not display information about the ACM certificate you specify. You can view information about the certificate by using the console, the AWS Command Line Interface, or the [DescribeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_DescribeCertificate.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:42Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DescribeCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Exporting a certificate ([ExportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExportCertificate.html))
The following CloudTrail example shows the results of a call to the [ExportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ExportCertificate.html) API.
```
{
"Records":[
{
"version":"0",
"id":"01234567-89ab-cdef-0123-456789abcdef",
"detail-type":"AWS API Call via CloudTrail",
"source":"aws.acm",
"account":"123456789012",
"time":"2018-05-24T15:28:11Z",
"region":"us-east-1",
"resources":[
],
"detail":{
"eventVersion":"1.04",
"userIdentity":{
"type":"Root",
"principalId":"123456789012",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2018-05-24T15:28:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ExportCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.15.4 Python/2.7.9 Windows/8 botocore/1.10.4",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"passphrase": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----",
"privateKey":"**********",
"certificate":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----",
"privateKey": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"readOnly": false,
"eventType":"AwsApiCall"
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
```
## Import a certificate ([ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html))
The following example shows the CloudTrail log entry that records a call to the ACM [ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html) API operation.
```
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/Alice",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-10-04T16:01:30Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ImportCertificate",
"awsRegion":"ap-southeast-2",
"sourceIPAddress":"54.240.193.129",
"userAgent":"Coral/Netty",
"requestParameters":{
"privateKey":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":1674,
"capacity":1674,
"address":0
},
"certificateChain":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2105,
"capacity":2105,
"address":0
},
"certificate":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2503,
"capacity":2503,
"address":0
}
},
"responseElements":{
"certificateArn":"arn:aws:acm:ap-southeast-2:111122223333:certificate/01234567-89ab-cdef-0123-456789abcdef"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
```
## Listing certificates ([ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html))
The following CloudTrail example shows the results of a call to the [ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html) API.
**Note**
The CloudTrail log for the `ListCertificates` operation does not display your ACM certificates. You can view the certificate list by using the console, the AWS Command Line Interface, or the [ListCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListCertificates.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:43Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListCertificates",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"maxItems":1000,
"certificateStatuses":[
"ISSUED"
]
},
"responseElements":null,
"requestID":"74c99844-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"cdfe1051-88aa-4aa3-8c33-a325270bff21",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Listing tags for a certificate ([ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html))
The following CloudTrail example shows the results of a call to the [ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html) API.
**Note**
The CloudTrail log for the `ListTagsForCertificate` operation does not display your tags. You can view the tag list by using the console, the AWS Command Line Interface, or the [ListTagsForCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ListTagsForCertificate.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:30:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListTagsForCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":null,
"requestID":"b010767f-fbfb-11e5-b596-79e9a97a2544",
"eventID":"32181be6-a4a0-48d3-8014-c0d972b5163b",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Removing tags from a certificate ([RemoveTagsFromCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RemoveTagsFromCertificate.html))
The following CloudTrail example shows the results of a call to the [RemoveTagsFromCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RemoveTagsFromCertificate.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T14:10:01Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RemoveTagsFromCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"tags":[
{
"value":"Bob",
"key":"Admin"
}
]
},
"responseElements":null,
"requestID":"40ded461-fc01-11e5-a747-85804766d6c9",
"eventID":"0cfa142e-ef74-4b21-9515-47197780c424",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Requesting a certificate ([RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html))
The following CloudTrail example shows the results of a call to the [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:49Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RequestCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"domainName":"example.com",
"validationMethod": "DNS",
"idempotencyToken":"8186023d89681c3ad5",
"options": {
"export": "ENABLED"
},
"keyAlgorithm": "RSA_2048"
},
"responseElements":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"requestID":"77dacef3-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"a4954cdb-8f38-44c7-8927-a38ad4be3ac8",
"eventType":"AwsApiCall",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"recipientAccountId":"123456789012"
}
]
}
```
## Revoke a certificate ([RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html))
The following CloudTrail example shows the results of a call to the [RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html) API.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name",
"arn": arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
},
"attributes": {
"creationDate": "2016-01-01T19:35:52Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime":"2016-01-01T21:11:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "RevokeCertificate",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
"requestParameters": {
"certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"revocationReason": "UNSPECIFIED"
},
"responseElements": {
"certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"requestID": "01234567-89ab-cdef-0123-456789abcdef",
"eventID": "01234567-89ab-cdef-0123-456789abcdef",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
```
## Resending validation email ([ResendValidationEmail](https://docs.aws.amazon.com/acm/latest/APIReference/API_ResendValidationEmail.html))
The following CloudTrail example shows the results of a call to the [ResendValidationEmail](https://docs.aws.amazon.com/acm/latest/APIReference/API_ResendValidationEmail.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-17T23:58:25Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ResendValidationEmail",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"domain":"example.com",
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"validationDomain":"example.com"
},
"responseElements":null,
"requestID":"23760b88-ec9c-11e5-b6f4-cb861a6f0a28",
"eventID":"41c11b06-ca91-4c1c-8c61-af349ea8bab8",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Retrieving a certificate ([GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html))
The following CloudTrail example shows the results of a call to the [GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:41Z",
"eventSource":"acm.amazonaws.com",
"eventName":"GetCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate chain
-----END CERTIFICATE-----",
"certificate":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----"
},
"requestID":"744dd891-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"7aa4f909-00dd-478a-9a00-b2709bcad2bb",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
## Searching certificates ([SearchCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_SearchCertificates.html))
The following CloudTrail example shows the results of a call to the [SearchCertificates](https://docs.aws.amazon.com/acm/latest/APIReference/API_SearchCertificates.html) API.
```
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:53:53Z",
"eventSource":"acm.amazonaws.com",
"eventName":"SearchCertificates",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"readOnly":true,
"requestParameters":{
"maxResults":10,
"sortBy":"CREATED_AT",
"sortOrder":"DESCENDING"
},
"responseElements":null,
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
```
# Logging API calls for integrated services
You can use CloudTrail to audit API calls made by services that are integrated with ACM. For more information about using CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html). The following examples show the types of logs that can be generated depending on the AWS resources on which you provision the ACM certificate.
**Topics**
+ [Creating a load balancer](#ct-related-lb)
## Creating a load balancer
You can use CloudTrail to audit API calls made by services that are integrated with ACM. For more information about using CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html). The following examples show the types of logs that can be generated depending on the AWS resources on which you provision the ACM certificate.
**Topics**
+ [Creating a Load Balancer](#ct-related-lb)
+ [Registering an Amazon EC2 Instance with a Load Balancer](#ct-related-ec2)
+ [Encrypting a Private Key](#ct-related-encrypt)
+ [Decrypting a Private Key](#ct-related-decrypt)
### Creating a Load Balancer
The following example shows a call to the `CreateLoadBalancer` function by an IAM user named Alice. The name of the load balancer is `TestLinuxDefault`, and the listener is created using an ACM certificate.
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/Alice",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-01-01T21:10:36Z",
"eventSource":"elasticloadbalancing.amazonaws.com",
"eventName":"CreateLoadBalancer",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0/24",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"availabilityZones":[
"us-east-1b"
],
"loadBalancerName":"LinuxTest",
"listeners":[
{
"sSLCertificateId":"arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012",
"protocol":"HTTPS",
"loadBalancerPort":443,
"instanceProtocol":"HTTP",
"instancePort":80
}
]
},
"responseElements":{
"dNSName":"LinuxTest-1234567890.us-east-1.elb.amazonaws.com"
},
"requestID":"19669c3b-b0cc-11e5-85b2-57397210a2e5",
"eventID":"5d6c00c9-a9b8-46ef-9f3b-4589f5be63f7",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
```
### Registering an Amazon EC2 Instance with a Load Balancer
When you provision your website or application on an Amazon Elastic Compute Cloud (Amazon EC2) instance, the load balancer must be made aware of that instance. This can be accomplished through the Elastic Load Balancing console or the AWS Command Line Interface. The following example shows a call to `RegisterInstancesWithLoadBalancer` for a load balancer named LinuxTest on AWS account 123456789012.
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/ALice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2016-01-01T19:35:52Z"
}
},
"invokedBy":"signin.amazonaws.com"
},
"eventTime":"2016-01-01T21:11:45Z",
"eventSource":"elasticloadbalancing.amazonaws.com",
"eventName":"RegisterInstancesWithLoadBalancer",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0/24",
"userAgent":"signin.amazonaws.com",
"requestParameters":{
"loadBalancerName":"LinuxTest",
"instances":[
{
"instanceId":"i-c67f4e78"
}
]
},
"responseElements":{
"instances":[
{
"instanceId":"i-c67f4e78"
}
]
},
"requestID":"438b07dc-b0cc-11e5-8afb-cda7ba020551",
"eventID":"9f284ca6-cbe5-42a1-8251-4f0e6b5739d6",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
```
### Encrypting a Private Key
The following example shows an `Encrypt` call that encrypts the private key associated with an ACM certificate. Encryption is performed within AWS.
```
{
"Records":[
{
"eventVersion":"1.03",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/acm",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"acm"
},
"eventTime":"2016-01-05T18:36:29Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Encrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"AWS Internal",
"userAgent":"aws-internal",
"requestParameters":{
"keyId":"arn:aws:kms:us-east-1:123456789012:alias/aws/acm",
"encryptionContext":{
"aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
}
},
"responseElements":null,
"requestID":"3c417351-b3db-11e5-9a24-7d9457362fcc",
"eventID":"1794fe70-796a-45f5-811b-6584948f24ac",
"readOnly":true,
"resources":[
{
"ARN":"arn:aws:kms:us-east-1:123456789012:key/87654321-4321-4321-4321-210987654321",
"accountId":"123456789012"
}
],
"eventType":"AwsServiceEvent",
"recipientAccountId":"123456789012"
}
]
}
```
### Decrypting a Private Key
The following example shows a `Decrypt` call that decrypts the private key associated with an ACM certificate. Decryption is performed within AWS, and the decrypted key never leaves AWS.
```
{
"eventVersion":"1.03",
"userIdentity":{
"type":"AssumedRole",
"principalId":"AIDACKCEVSQ6C2EXAMPLE:1aba0dc8b3a728d6998c234a99178eff",
"arn":"arn:aws:sts::111122223333:assumed-role/DecryptACMCertificate/1aba0dc8b3a728d6998c234a99178eff",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"sessionContext":{
"attributes":{
"mfaAuthenticated":"false",
"creationDate":"2016-01-01T21:13:28Z"
},
"sessionIssuer":{
"type":"Role",
"principalId":"APKAEIBAERJR2EXAMPLE",
"arn":"arn:aws:iam::111122223333:role/DecryptACMCertificate",
"accountId":"111122223333",
"userName":"DecryptACMCertificate"
}
}
},
"eventTime":"2016-01-01T21:13:28Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Decrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"AWS Internal",
"userAgent":"aws-internal/3",
"requestParameters":{
"encryptionContext":{
"aws:elasticloadbalancing:arn":"arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/LinuxTest",
"aws:acm:arn":"arn:aws:acm:us-east-1:123456789012:certificate/87654321-4321-4321-4321-210987654321"
}
},
"responseElements":null,
"requestID":"809a70ff-b0cc-11e5-8f42-c7fdf1cb6e6a",
"eventID":"7f89f7a7-baff-4802-8a88-851488607fb9",
"readOnly":true,
"resources":[
{
"ARN":"arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",
"accountId":"123456789012"
}
],
"eventType":"AwsServiceEvent",
"recipientAccountId":"123456789012"
}
```
# Supported CloudWatch metrics
Amazon CloudWatch is a monitoring service for AWS resources. You can use CloudWatch to collect and track metrics, set alarms, and automatically react to changes in your AWS resources. ACM publishes metrics twice per day for every certificate in an account until expiration.
The `AWS/CertificateManager` namespace includes the following metric.
****
| Metric | Description | Unit | Dimensions |
| --- | --- | --- | --- |
| DaysToExpiry | Number of days until a certificate expires. ACM stops publishing this metric after a certificate expires. | Integer | CertificateArn[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/acm/latest/userguide/cloudwatch-metrics.html) |
For more information about CloudWatch metrics, see the following topics:
+ [Using Amazon CloudWatch Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html)
+ [Creating Amazon CloudWatch Alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html)