Skip to content
Ask AI about this
Help improve this page

ACM certificates should have transparency logging enabled

CT logging publishes every certificate ACM issues to append-only public logs. Without it, a misissued certificate for your domain goes undetected and an attacker can intercept TLS traffic with a certificate that looks perfectly valid. CT logs give you, and anyone else watching, a verifiable record that makes rogue certificates discoverable.

Modern browsers already require CT compliance. Chrome flags certificates without CT log entries. Disabling this preference in ACM removes a free, automatic safety net with no performance cost.

Retrofit consideration

Changing the transparency logging preference can trigger certificate replacement depending on Terraform lifecycle configuration and attached services. CloudFront distributions and ALBs using the certificate may need to reattach after replacement. Monitor validation and deployment status after applying changes.

Implementation

Choose the approach that matches how you manage Terraform.

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

module "acm" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/acm/aws"
  version = ">=6.0.0,<7.0.0"

  create_route53_records    = false
  domain_name               = "abc123.pofix.click"
  subject_alternative_names = []
  validate_certificate      = false
  validation_method         = "DNS"
  wait_for_validation       = false
  zone_id                   = "Z1234567890ABC"

  certificate_transparency_logging_preference = "ENABLED"
}

If you use terraform-aws-modules/acm/aws, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "acm" {
  source  = "terraform-aws-modules/acm/aws"
  version = ">=6.0.0,<7.0.0"

  create_route53_records    = false
  domain_name               = "abc123.pofix.click"
  subject_alternative_names = []
  validate_certificate      = false
  validation_method         = "DNS"
  wait_for_validation       = false
  zone_id                   = "Z1234567890ABC"

  certificate_transparency_logging_preference = "ENABLED"
}

Use AWS provider resources directly. See docs for the resources involved: aws_acm_certificate.

resource "aws_acm_certificate" "this" {
  domain_name       = "abc123.pofix.click"
  validation_method = "DNS"

  options {
    certificate_transparency_logging_preference = "ENABLED"
  }
}

What this control checks

In aws_acm_certificate, the options block must include certificate_transparency_logging_preference set to "ENABLED". ACM enables this by default when the options block is omitted entirely, but explicitly setting it prevents accidental overrides from a later block addition. A certificate fails this control if certificate_transparency_logging_preference is set to "DISABLED". Imported certificates fall outside this check: CT logging applies to publicly trusted certificates issued by ACM, not to certificates brought in through the import workflow.

Common pitfalls

  • Omitting the options block relies on default behavior

    ACM defaults to CT logging enabled when no options block is present, which passes this control today. The risk is that adding an options block later, for any reason, without explicitly setting certificate_transparency_logging_preference = "ENABLED" silently disables logging on the next terraform apply. Set the value explicitly so the intent is clear and drift-resistant.

  • Imported certificates are not covered

    Certificates imported into ACM weren't issued by ACM's public CAs, so the options block has no effect on them. CT logging for imported certificates is the issuing CA's responsibility, not ACM's. If your environment relies on imported certificates, verify that CT logging is configured at the CA level.

  • Private CA certificates do not support CT logging

    Certificates issued from AWS Private CA via aws_acmpca_certificate don't participate in public CT logs. This control only applies to publicly trusted certificates issued by ACM. Don't conflate the two issuance paths: certificate_transparency_logging_preference has no effect on Private CA certificates.

Audit evidence

Config rule evaluation results for acm-certificate-transparency-logging-check across every region where certificates are deployed. Per-certificate confirmation via aws acm describe-certificate should show "CertificateTransparencyLoggingPreference": "ENABLED" in the Options field. CloudTrail RequestCertificate events provide request context but don't reflect current configuration state; Config evaluations and ACM certificate details are the authoritative source for compliance status.

Framework-specific interpretation

NIST Cybersecurity Framework v2.0: PR.DS and DE.CM both apply here. CT logging keeps certificate issuance observable through public append-only logs, which is what DE.CM continuous monitoring needs for anything relying on ACM certificates. Maintaining verifiable trust chains covers the PR.DS data security requirement.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: acm_certificate_transparency_logging_enabled

  • Checkov Check: CKV_AWS_234

  • Powerpipe Control: aws_compliance.control.acm_certificate_transparency_logging_enabled

  • Prowler Check: acm_certificates_transparency_logs_enabled

Last reviewed: 2026-03-08