ACM API actions supported in CloudTrail logging
ACM supports logging the following actions as events in CloudTrail log files:
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
-
Whether the request was made with AWS account root user or AWS Identity and Access Management (IAM) user credentials.
-
Whether the request was made with temporary security credentials for a role or federated user.
-
Whether the request was made by another AWS service
For more information, see the CloudTrail userIdentity Element.
ACM records management events and data events in CloudTrail.
Management events
-
Creating an ACME domain validation (CreateAcmeDomainValidation)
-
Creating an ACME external account binding (CreateAcmeExternalAccountBinding)
-
Deleting an ACME domain validation (DeleteAcmeDomainValidation)
-
Deleting an ACME external account binding (DeleteAcmeExternalAccountBinding)
-
Describing an ACME domain validation (DescribeAcmeDomainValidation)
-
Describing an ACME external account binding (DescribeAcmeExternalAccountBinding)
-
Retrieving external account binding credentials (GetAcmeExternalAccountBindingCredentials)
-
Listing ACME external account bindings (ListAcmeExternalAccountBindings)
-
Removing tags from a certificate (RemoveTagsFromCertificate)
-
Revoking an ACME external account binding (RevokeAcmeExternalAccountBinding)
-
Updating an ACME domain validation (UpdateAcmeDomainValidation)
Data events
Management events
ACM logs the following operations as CloudTrail management events. Management events are logged by default.
Adding tags to a certificate (AddTagsToCertificate)
The following CloudTrail example shows the results of a call to the AddTagsToCertificate API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:53:53Z",
"eventSource":"acm.amazonaws.com",
"eventName":"AddTagsToCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"tags":[
{
"value":"Alice",
"key":"Admin"
}
],
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Changing an ACME account key (ChangeAccountKey)
The following CloudTrail example shows a log entry for the
ChangeAccountKey operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:29:57Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "ChangeAccountKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"innerJws": "EXAMPLE"
},
"responseElements": {
"location": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"status": "valid",
"orders": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222/orders"
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Creating an ACME domain validation (CreateAcmeDomainValidation)
The following CloudTrail example shows a log entry for the
CreateAcmeDomainValidation operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "CreateAcmeDomainValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"idempotencyToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"domainName": "example.com",
"prevalidationOptions": {
"dnsPrevalidation": {
"domainScope": {
"exactDomain": "ENABLED"
},
"hostedZoneId": "Z00443972VKAL6HT44MI"
}
}
},
"responseElements": {
"acmeDomainValidationArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeDomainValidation",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Creating an ACME endpoint (CreateAcmeEndpoint)
The following CloudTrail example shows a log entry for the
CreateAcmeEndpoint operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "CreateAcmeEndpoint",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"idempotencyToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"authorizationBehavior": "PRE_APPROVED",
"certificateAuthority": {
"publicCertificateAuthority": {
}
}
},
"responseElements": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Creating an ACME external account binding (CreateAcmeExternalAccountBinding)
The following CloudTrail example shows a log entry for the
CreateAcmeExternalAccountBinding operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "CreateAcmeExternalAccountBinding",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"idempotencyToken": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"roleArn": "arn:aws:iam::123456789012:role/example-role",
"expiration": {
"value": 1,
"type": "DAYS"
}
},
"responseElements": {
"externalAccountBinding": {
"acmeExternalAccountBindingArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"roleArn": "arn:aws:iam::123456789012:role/example-role",
"expiresAt": "2026-06-11T20:28:45Z"
}
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeExternalAccountBinding",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Deleting an ACME domain validation (DeleteAcmeDomainValidation)
The following CloudTrail example shows a log entry for the
DeleteAcmeDomainValidation operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "DeleteAcmeDomainValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeDomainValidationArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeDomainValidation",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Deleting an ACME endpoint (DeleteAcmeEndpoint)
The following CloudTrail example shows a log entry for the
DeleteAcmeEndpoint operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "DeleteAcmeEndpoint",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Deleting an ACME external account binding (DeleteAcmeExternalAccountBinding)
The following CloudTrail example shows a log entry for the
DeleteAcmeExternalAccountBinding operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "DeleteAcmeExternalAccountBinding",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeExternalAccountBindingArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeExternalAccountBinding",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Deleting a certificate (DeleteCertificate)
The following CloudTrail example shows the results of a call to the DeleteCertificate API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:26Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DeleteCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Describing an ACME account (DescribeAcmeAccount)
The following CloudTrail example shows a log entry for the
DescribeAcmeAccount operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:46Z",
"eventSource": "acm.amazonaws.com",
"eventName": "DescribeAcmeAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"accountUrl": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Describing an ACME domain validation (DescribeAcmeDomainValidation)
The following CloudTrail example shows a log entry for the
DescribeAcmeDomainValidation operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:29:37Z",
"eventSource": "acm.amazonaws.com",
"eventName": "DescribeAcmeDomainValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeDomainValidationArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeDomainValidation",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Describing an ACME endpoint (DescribeAcmeEndpoint)
The following CloudTrail example shows a log entry for the
DescribeAcmeEndpoint operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "DescribeAcmeEndpoint",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Describing an ACME external account binding (DescribeAcmeExternalAccountBinding)
The following CloudTrail example shows a log entry for the
DescribeAcmeExternalAccountBinding operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:29:06Z",
"eventSource": "acm.amazonaws.com",
"eventName": "DescribeAcmeExternalAccountBinding",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeExternalAccountBindingArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeExternalAccountBinding",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Describing a certificate (DescribeCertificate)
The following CloudTrail example shows the results of a call to the DescribeCertificate API.
Note
The CloudTrail log for the DescribeCertificate operation does not
display information about the ACM certificate you specify. You can view
information about the certificate by using the console, the AWS Command Line Interface, or
the DescribeCertificate API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:42Z",
"eventSource":"acm.amazonaws.com",
"eventName":"DescribeCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/fedcba98-7654-3210-fedc-ba9876543210"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Exporting a certificate (ExportCertificate)
The following CloudTrail example shows the results of a call to the ExportCertificate API.
{
"Records":[
{
"version":"0",
"id":"01234567-89ab-cdef-0123-456789abcdef",
"detail-type":"AWS API Call via CloudTrail",
"source":"aws.acm",
"account":"123456789012",
"time":"2018-05-24T15:28:11Z",
"region":"us-east-1",
"resources":[
],
"detail":{
"eventVersion":"1.04",
"userIdentity":{
"type":"Root",
"principalId":"123456789012",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2018-05-24T15:28:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ExportCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.15.4 Python/2.7.9 Windows/8 botocore/1.10.4",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"passphrase": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----",
"privateKey":"**********",
"certificate":
"-----BEGIN CERTIFICATE-----
base64 certificate
-----END CERTIFICATE-----",
"privateKey": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"fedcba98-7654-3210-fedc-ba9876543210",
"readOnly": false,
"eventType":"AwsApiCall"
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
Retrieving external account binding credentials (GetAcmeExternalAccountBindingCredentials)
The following CloudTrail example shows a log entry for the
GetAcmeExternalAccountBindingCredentials operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:29:26Z",
"eventSource": "acm.amazonaws.com",
"eventName": "GetAcmeExternalAccountBindingCredentials",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeExternalAccountBindingArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeExternalAccountBinding",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Retrieving a certificate (GetCertificate)
The following CloudTrail example shows the results of a call to the GetCertificate API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:41Z",
"eventSource":"acm.amazonaws.com",
"eventName":"GetCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":{
"certificateChain":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate chain
-----END CERTIFICATE-----",
"certificate":
"-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----"
},
"requestID":"744dd891-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"7aa4f909-00dd-478a-9a00-b2709bcad2bb",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Import a certificate (ImportCertificate)
The following example shows the CloudTrail log entry that records a call to the ACM ImportCertificate API operation.
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::111122223333:user/Alice",
"accountId":"111122223333",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-10-04T16:01:30Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ImportCertificate",
"awsRegion":"ap-southeast-2",
"sourceIPAddress":"54.240.193.129",
"userAgent":"Coral/Netty",
"requestParameters":{
"privateKey":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":1674,
"capacity":1674,
"address":0
},
"certificateChain":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2105,
"capacity":2105,
"address":0
},
"certificate":{
"hb":[
"byte",
"byte",
"byte",
"..."
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":0,
"limit":2503,
"capacity":2503,
"address":0
}
},
"responseElements":{
"certificateArn":"arn:aws:acm:ap-southeast-2:111122223333:certificate/01234567-89ab-cdef-0123-456789abcdef"
},
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"111122223333"
}
Listing ACME accounts (ListAcmeAccounts)
The following CloudTrail example shows a log entry for the
ListAcmeAccounts operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:29:37Z",
"eventSource": "acm.amazonaws.com",
"eventName": "ListAcmeAccounts",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Listing ACME domain validations (ListAcmeDomainValidations)
The following CloudTrail example shows a log entry for the
ListAcmeDomainValidations operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:29:57Z",
"eventSource": "acm.amazonaws.com",
"eventName": "ListAcmeDomainValidations",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Listing ACME endpoints (ListAcmeEndpoints)
The following CloudTrail example shows a log entry for the
ListAcmeEndpoints operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:56Z",
"eventSource": "acm.amazonaws.com",
"eventName": "ListAcmeEndpoints",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": null,
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Listing ACME external account bindings (ListAcmeExternalAccountBindings)
The following CloudTrail example shows a log entry for the
ListAcmeExternalAccountBindings operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:29:15Z",
"eventSource": "acm.amazonaws.com",
"eventName": "ListAcmeExternalAccountBindings",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Listing certificates (ListCertificates)
The following CloudTrail example shows the results of a call to the ListCertificates API.
Note
The CloudTrail log for the ListCertificates operation does not
display your ACM certificates. You can view the certificate list by using
the console, the AWS Command Line Interface, or the ListCertificates
API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:43Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListCertificates",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"maxItems":1000,
"certificateStatuses":[
"ISSUED"
]
},
"responseElements":null,
"requestID":"74c99844-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"cdfe1051-88aa-4aa3-8c33-a325270bff21",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Listing tags for a certificate (ListTagsForCertificate)
The following CloudTrail example shows the results of a call to the ListTagsForCertificate API.
Note
The CloudTrail log for the ListTagsForCertificate operation does
not display your tags. You can view the tag list by using the console, the
AWS Command Line Interface, or the ListTagsForCertificate API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:30:11Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListTagsForCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"responseElements":null,
"requestID":"b010767f-fbfb-11e5-b596-79e9a97a2544",
"eventID":"32181be6-a4a0-48d3-8014-c0d972b5163b",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Listing tags for a resource (ListTagsForResource)
The following example shows a CloudTrail log entry for the ListTagsForResource API.
The CloudTrail log for the ListTagsForResource operation does not
display tags in the response elements.
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2026-01-15T20:43:00Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ListTagsForResource",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/2.0",
"requestParameters":{
"resourceArn":"arn:aws:acm:us-east-1:123456789012:acme-endpoint/ep-abc123"
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543212",
"eventID":"12345678-1234-1234-1234-123456789014",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
Managing an ACME account (ManageAccount)
The following CloudTrail example shows a log entry for the
ManageAccount operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:30:40Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "ManageAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"accountId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": {
"location": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"status": "valid",
"contact": "HIDDEN_DUE_TO_SECURITY_REASONS",
"orders": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222/orders"
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Registering an ACME account (NewAccount)
The following CloudTrail example shows a log entry for the
NewAccount operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:30:39Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "NewAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"contact": "HIDDEN_DUE_TO_SECURITY_REASONS",
"externalAccountBinding": {
"jwsProtected": "EXAMPLE",
"payload": "EXAMPLE",
"signature": "EXAMPLE"
}
},
"responseElements": {
"location": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"status": "valid",
"contact": "HIDDEN_DUE_TO_SECURITY_REASONS",
"orders": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222/orders",
"externalAccountBinding": {
"jwsProtected": "EXAMPLE",
"payload": "EXAMPLE",
"signature": "EXAMPLE"
},
"statusCode": 201
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Removing tags from a certificate (RemoveTagsFromCertificate)
The following CloudTrail example shows the results of a call to the RemoveTagsFromCertificate API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T14:10:01Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RemoveTagsFromCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"requestParameters":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"tags":[
{
"value":"Bob",
"key":"Admin"
}
]
},
"responseElements":null,
"requestID":"40ded461-fc01-11e5-a747-85804766d6c9",
"eventID":"0cfa142e-ef74-4b21-9515-47197780c424",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Requesting a certificate (RequestCertificate)
The following CloudTrail example shows the results of a call to the RequestCertificate API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-18T00:00:49Z",
"eventSource":"acm.amazonaws.com",
"eventName":"RequestCertificate",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"domainName":"example.com",
"validationMethod": "DNS",
"idempotencyToken":"8186023d89681c3ad5",
"options": {
"export": "ENABLED"
},
"keyAlgorithm": "RSA_2048"
},
"responseElements":{
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"requestID":"77dacef3-ec9c-11e5-ac34-d1e4dfe1a11b",
"eventID":"a4954cdb-8f38-44c7-8927-a38ad4be3ac8",
"eventType":"AwsApiCall",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"recipientAccountId":"123456789012"
}
]
}
Resending validation email (ResendValidationEmail)
The following CloudTrail example shows the results of a call to the ResendValidationEmail API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-03-17T23:58:25Z",
"eventSource":"acm.amazonaws.com",
"eventName":"ResendValidationEmail",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.9.15",
"requestParameters":{
"domain":"example.com",
"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"validationDomain":"example.com"
},
"responseElements":null,
"requestID":"23760b88-ec9c-11e5-b6f4-cb861a6f0a28",
"eventID":"41c11b06-ca91-4c1c-8c61-af349ea8bab8",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Revoking an ACME account (RevokeAcmeAccount)
The following CloudTrail example shows a log entry for the
RevokeAcmeAccount operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:46Z",
"eventSource": "acm.amazonaws.com",
"eventName": "RevokeAcmeAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"accountUrl": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acct/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Revoking an ACME external account binding (RevokeAcmeExternalAccountBinding)
The following CloudTrail example shows a log entry for the
RevokeAcmeExternalAccountBinding operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:56Z",
"eventSource": "acm.amazonaws.com",
"eventName": "RevokeAcmeExternalAccountBinding",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeExternalAccountBindingArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeExternalAccountBinding",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-external-account-binding/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Revoke a certificate (RevokeCertificate)
The following CloudTrail example shows the results of a call to the RevokeCertificate API.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name",
"arn": arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::123456789012:role/Admin",
"accountId": "123456789012",
"userName": "Admin"
},
"attributes": {
"creationDate": "2016-01-01T19:35:52Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime":"2016-01-01T21:11:45Z",
"eventSource": "acm.amazonaws.com",
"eventName": "RevokeCertificate",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0",
"requestParameters": {
"certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
"revocationReason": "UNSPECIFIED"
},
"responseElements": {
"certificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
},
"requestID": "01234567-89ab-cdef-0123-456789abcdef",
"eventID": "01234567-89ab-cdef-0123-456789abcdef",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}
Searching certificates (SearchCertificates)
The following CloudTrail example shows the results of a call to the SearchCertificates API.
{
"Records":[
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2016-04-06T13:53:53Z",
"eventSource":"acm.amazonaws.com",
"eventName":"SearchCertificates",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/1.10.16",
"readOnly":true,
"requestParameters":{
"maxResults":10,
"sortBy":"CREATED_AT",
"sortOrder":"DESCENDING"
},
"responseElements":null,
"requestID":"01234567-89ab-cdef-0123-456789abcdef",
"eventID":"01234567-89ab-cdef-0123-456789abcdef",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
]
}
Tagging a resource (TagResource)
The following example shows a CloudTrail log entry for the TagResource API.
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2026-01-15T20:41:00Z",
"eventSource":"acm.amazonaws.com",
"eventName":"TagResource",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/2.0",
"requestParameters":{
"resourceArn":"arn:aws:acm:us-east-1:123456789012:acme-endpoint/ep-abc123",
"tags":[
{
"key":"Environment",
"value":"Production"
}
]
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543210",
"eventID":"12345678-1234-1234-1234-123456789012",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
Removing tags from a resource (UntagResource)
The following example shows a CloudTrail log entry for the UntagResource API.
{
"eventVersion":"1.04",
"userIdentity":{
"type":"IAMUser",
"principalId":"AIDACKCEVSQ6C2EXAMPLE",
"arn":"arn:aws:iam::123456789012:user/Alice",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE",
"userName":"Alice"
},
"eventTime":"2026-01-15T20:42:00Z",
"eventSource":"acm.amazonaws.com",
"eventName":"UntagResource",
"awsRegion":"us-east-1",
"sourceIPAddress":"192.0.2.0",
"userAgent":"aws-cli/2.0",
"requestParameters":{
"resourceArn":"arn:aws:acm:us-east-1:123456789012:acme-endpoint/ep-abc123",
"tagKeys":["Environment"]
},
"responseElements":null,
"requestID":"fedcba98-7654-3210-fedc-ba9876543211",
"eventID":"12345678-1234-1234-1234-123456789013",
"eventType":"AwsApiCall",
"recipientAccountId":"123456789012"
}
Updating an ACME domain validation (UpdateAcmeDomainValidation)
The following CloudTrail example shows a log entry for the
UpdateAcmeDomainValidation operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:29:46Z",
"eventSource": "acm.amazonaws.com",
"eventName": "UpdateAcmeDomainValidation",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeDomainValidationArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeDomainValidation",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/acme-domain-validation/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Updating an ACME endpoint (UpdateAcmeEndpoint)
The following CloudTrail example shows a log entry for the
UpdateAcmeEndpoint operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:28:43Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-06-10T20:28:56Z",
"eventSource": "acm.amazonaws.com",
"eventName": "UpdateAcmeEndpoint",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"acmeEndpointArn": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme.us-east-1.api.aws"
}
}
Data events
ACM logs the following ACME protocol operations as CloudTrail data events. Unlike management events, data events are not logged by default. To record them, configure data event logging in your CloudTrail trail or event data store.
Finalizing an order (FinalizeOrder)
The following CloudTrail example shows a data event log entry for the
FinalizeOrder operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:29:27Z",
"mfaAuthenticated": "false"
},
"sourceIdentity": "acm-acme-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"invokedBy": "acm-acme.amazonaws.com"
},
"eventTime": "2026-06-10T20:29:27Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "FinalizeOrder",
"awsRegion": "us-east-1",
"sourceIPAddress": "acm-acme.amazonaws.com",
"userAgent": "acm-acme.amazonaws.com",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"orderId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"csr": "EXAMPLE"
},
"responseElements": {
"status": "processing",
"expires": "2026-06-17T20:29:27Z",
"identifiers": [
{
"type": "dns",
"value": "example.example.com"
}
],
"authorizations": [
"https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/authz/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
],
"finalize": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/order/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222/finalize",
"location": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/order/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"statusCode": 200
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}
Downloading a certificate (GetCertificate)
The following CloudTrail example shows a data event log entry for the
GetCertificate operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:29:56Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "GetCertificate",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"certId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE77777"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Retrieving the directory (GetDirectory)
The following CloudTrail example shows a data event log entry for the
GetDirectory operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:30:39Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "GetDirectory",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Retrieving an order (GetOrder)
The following CloudTrail example shows a data event log entry for the
GetOrder operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:30:38Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "GetOrder",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"orderId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Listing orders (ListOrders)
The following CloudTrail example shows a data event log entry for the
ListOrders operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:29:57Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "ListOrders",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"accountId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE88888"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": true,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Managing an authorization (ManageAuthorization)
The following CloudTrail example shows a data event log entry for the
ManageAuthorization operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:30:40Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "ManageAuthorization",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"authorizationId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE99999"
},
"responseElements": {
"location": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/authz/a1b2c3d4-5678-90ab-cdef-EXAMPLE99999",
"status": "valid",
"expires": "2026-06-17T20:30:40Z",
"identifier": {
"type": "dns",
"value": "example.example.com"
},
"challenges": []
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Requesting a nonce (NewNonce)
The following CloudTrail example shows a data event log entry for the
NewNonce operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:30:39Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "NewNonce",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Creating an order (NewOrder)
The following CloudTrail example shows a data event log entry for the
NewOrder operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "Unknown",
"principalId": "anonymous",
"arn": "anonymous",
"accountId": "123456789012",
"userName": "anonymous"
},
"eventTime": "2026-06-10T20:29:26Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "NewOrder",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.0",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"identifiers": [
{
"type": "dns",
"value": "example.example.com"
}
]
},
"responseElements": {
"status": "ready",
"expires": "2026-06-17T20:29:26Z",
"identifiers": [
{
"type": "dns",
"value": "example.example.com"
}
],
"authorizations": [
"https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/authz/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
],
"finalize": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/order/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222/finalize",
"location": "https://acm-acme-enroll.us-east-1.api.aws/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111/order/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
"statusCode": 201
},
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "acm-acme-enroll.us-east-1.api.aws"
}
}
Revoking a certificate (RevokeCertificate)
The following CloudTrail example shows a data event log entry for the
RevokeCertificate operation.
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLEID:example-session",
"arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session",
"accountId": "123456789012",
"accessKeyId": "ASIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLEID",
"arn": "arn:aws:iam::123456789012:role/example-role",
"accountId": "123456789012",
"userName": "example-role"
},
"attributes": {
"creationDate": "2026-06-10T20:30:37Z",
"mfaAuthenticated": "false"
},
"sourceIdentity": "acm-acme-a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
},
"invokedBy": "acm-acme.amazonaws.com"
},
"eventTime": "2026-06-10T20:30:37Z",
"eventSource": "acm-acme.amazonaws.com",
"eventName": "RevokeCertificate",
"awsRegion": "us-east-1",
"sourceIPAddress": "acm-acme.amazonaws.com",
"userAgent": "acm-acme.amazonaws.com",
"requestParameters": {
"serverUuid": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"certificate": "EXAMPLE"
},
"responseElements": null,
"requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE44444",
"eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE55555",
"readOnly": false,
"resources": [
{
"accountId": "123456789012",
"type": "AWS::CertificateManager::AcmeEndpoint",
"ARN": "arn:aws:acm:us-east-1:123456789012:acme-endpoint/a1b2c3d4-5678-90ab-cdef-EXAMPLE66666"
}
],
"eventType": "AwsApiCall",
"managementEvent": false,
"recipientAccountId": "123456789012",
"eventCategory": "Data"
}