ACM Private Key Security
A public-private key pair is generated for each ACM Certificate. The public key is included in each certificate. Using ACM helps securely protect and store your private key using strong encryption and key management best practices.
The first time you request an ACM Certificate, a default customer master key (CMK) is created. All subsequent requests for ACM Certificates will use this default CMK to encrypt the certificate's private key.
A public-private key pair is created for each ACM Certificate that is provided.
The private key for each ACM Certificate is encrypted by using the default CMK for the ACM service.
When you associate an ACM Certificate with an AWS resource such as an Elastic Load Balancing load balancer or a Amazon CloudFront distribution, a grant is created to permit the AWS resource to use the default CMK to decrypt the private key. Grants are a way to delegate long-term access to a key.
The decrypted private key is used by the AWS resource during the SSL/TLS handshake process to help negotiate a session key that is used for secure communication between the resource and the client.
When you disassociate the ACM Certificate from an AWS resource, the grant is retired and the AWS resource will no longer be able to decrypt the private key.