AWSAWS Certificate ManagerSecurity

aws_acm_certificate cost estimation

TLS certificates for AWS services. Public certificates are free with auto-renewal. Private CA-issued certificates bill $400/month per private CA. Wildcard and SAN certificates included at no extra cost.

AWS Certificate Manager (ACM) provides TLS certificates for AWS services. The aws_acm_certificate resource handles both public certificates (free) and private certificates issued via aws_acmpca_certificate_authority (paid).

Public certificates are completely free. There's no per-certificate fee, no per-domain fee, no fee for wildcards or SANs. AWS handles validation (DNS or email), issuance, renewal, and revocation. The catch is they only work with AWS services (CloudFront, ALB, NLB, API Gateway, App Runner, etc.) — not exportable for external use.

Private certificates require a Private Certificate Authority (aws_acmpca_certificate_authority). Each Private CA bills $400/month regardless of certificate count. Certificates issued by the CA are tiered: first 1,000 are $0.75 each, next 9,000 are $0.35 each, then $0.001 each. For organizations needing PKI for internal mTLS or workload identity, this is the AWS-native option.

ACM-issued certificates are tied to AWS resources. They can be deployed to multiple resources but can't be exported. For exportable certificates (e.g., to use outside AWS or with self-hosted services), use Let's Encrypt or a third-party CA.

Common gotcha: certificates in CloudFront must be issued in us-east-1, regardless of where the CloudFront origin is. ALB/NLB certificates must be in the same region as the load balancer. ACM creates separate certificate copies for each region.

c3x flags aws_acm_certificate resources as free (public) or computes Private CA + per-certificate cost if a Private CA is referenced.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_acm_certificate" "main" {
  domain_name       = "example.com"
  validation_method = "DNS"

  subject_alternative_names = [
    "*.example.com",
    "api.example.com",
  ]

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_route53_record" "validation" {
  for_each = {
    for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
      name   = dvo.resource_record_name
      record = dvo.resource_record_value
      type   = dvo.resource_record_type
    }
  }

  zone_id = aws_route53_zone.main.zone_id
  name    = each.value.name
  type    = each.value.type
  ttl     = 60
  records = [each.value.record]
}

Pricing dimensions

What you actually pay for when you provision aws_acm_certificate.

DimensionUnitWhat's being charged
Public certificatefreePublic certificates issued via ACM are free, including wildcards and SANs.
$0 (free)
Private Certificate Authorityper monthEach Private CA bills monthly regardless of certificates issued.
$400/month per CA
Private certificate (first 1,000)per certificateCertificates issued by a Private CA. Tiered pricing reduces rate at higher volumes.
$0.75 per certificate
Private certificate (next 9,000)per certificateTier 2 pricing for high-volume PKI workloads.
$0.35 per certificate

Optimization tips

Common ways to reduce aws_acm_certificate cost without changing the workload.

Use public certificates for internet-facing services

$400+/month if you avoid Private CA

Public certificates are free and trusted by all major browsers. Reserve Private CA for internal mTLS, workload identity, and service mesh use cases.

Share a single Private CA across many certificates

$400/month per avoided CA

Private CA bills monthly regardless of certificate count. Maximize utilization: one CA per organization or environment, issuing all internal certificates. Don't create one CA per service.

Use wildcards instead of multiple certificates

A single *.example.com certificate covers any subdomain. Public certs have no SAN limit. Reduces certificate management overhead without affecting cost.

Audit Private CA usage

$400/month per deleted CA

Private CAs persist even when unused. Audit CAs across accounts and delete any with no recent certificate issuance.

FAQ

Are public ACM certificates really free?

Yes, completely. No issuance fee, no renewal fee, no per-domain fee. The only requirement is that the certificate is used with an AWS service (CloudFront, ALB, NLB, API Gateway, etc.). AWS makes money on the services using the certificates, not the certificates themselves.

Can I export an ACM certificate?

Not from public ACM. Public certificates can only be used with integrated AWS services. For exportable certificates, use Private CA (which supports export) or a third-party CA. Note that export from Private CA adds per-export charges.

Why does the Private CA cost $400/month?

The CA monthly fee covers the HSM-backed key storage, root key protection, and the operational infrastructure. AWS prices this similarly to other managed PKI offerings. For organizations needing PKI for internal use, $400/month is competitive vs running your own PKI infrastructure.

What's the alternative to ACM for AWS workloads?

Let's Encrypt for free public certificates (but requires automation for renewal, manual upload to AWS resources). HashiCorp Vault for internal PKI ($0 if self-hosted). Smallstep for managed PKI. ACM's value is the AWS-native integration and zero manual work.

Related resources

AWS
aws_cloudfront_distribution

Common ACM cert consumer

AWS
aws_lb

ALB/NLB uses ACM certificates

AWS
aws_api_gateway_rest_api

API Gateway custom domains

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_acm_certificate.

Get StartedStar on GitHub
← Browse all AWS resources