Select Language:
If you’ve noticed some unfamiliar account IDs associated with your ACM certificates, there’s usually no cause for alarm. This behavior is common and doesn’t indicate any security risk because the certificates aren’t being accessed by third parties. Instead, these account IDs belong to AWS service teams—Amazon’s own infrastructure accounts.
When you set up a custom domain for certain AWS services, AWS automatically creates behind-the-scenes resources like CloudFront distributions or Application Load Balancers (ALBs) in their own dedicated accounts to manage traffic. These resources are encrypted with your certificate, which is why ACM lists their ARNs—revealing the AWS internal account IDs.
Some of the main services where this happens include:
- API Gateway: When you create a custom domain, a CloudFront distribution or ALB is provisioned within an AWS service account.
- Cognito: Setting a custom domain for your user pool uses a CloudFront distribution owned by Cognito.
- OpenSearch Service: Configuring a custom endpoint involves an ALB in an AWS-managed account.
- AppSync: Custom domains here utilize AWS-owned CloudFront distributions as well.
If you want to stop these third-party accounts from using your certificates, it’s important to understand that you can’t simply revoke permissions through IAM or ACM because these associations are managed directly by the AWS services. These links are established during your configuration process, not through manual permissions.
To remove the association, follow these steps:
-
Identify what’s creating the association: Check your AWS account for any active custom domains in services like API Gateway, Cognito, OpenSearch, or AppSync. Keep in mind that for regions using Edge-optimized settings, the relevant resources need to be in the US East (N. Virginia) region.
-
Delete the resource causing the link: Within each specific service, delete the custom domain or endpoint configuration that was set up.
-
Allow time for cleanup: After deletion, AWS begins tearing down the associated infrastructure components like CloudFront distributions or ALBs. This process typically takes between 30 to 60 minutes to complete, after which the association no longer appears in your ACM console.
By following this process, you can effectively remove these internal AWS links from your certificates. Remember, these associations are created to streamline your experience and don’t compromise your security.




