AWS Certificate Manager introduces Enterprise Controls to help govern certificate issuance

Enterprise, network and security admins can now use AWS Identity and Access Management (IAM) [condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference%5Fpolicies%5Felements%5Fcondition.html) with [AWS Certificate Manager](https://aws.amazon.com/certificate-manager/) (ACM) to help ensure that users are issuing certificates that conform to their organization’s public key infrastructure (PKI) guidelines. For example, you can use condition keys to allow only DNS validation. Or, you can authorize which of your users can request certificates for specific domain names such as accounting.example.com and/or wildcard names. Using these new context keys, you can define how your ACM users customize certificate issuance parameters to authorize 1) a specific certificate validation method, 2) who can request certificates for specific domain names including wildcard names, 3) specific certificate key-algorithm(s), and 4) the request of public or private certificate type. Additionally, you can prevent users from disabling Certificate Transparency (CT) logging or requesting certificates from specific AWS Private Certificate Authorities. You can distribute and enforce your condition keys across your users and accounts using either [IAM](https://aws.amazon.com/iam/getting-started/) or [Service control polices](https://docs.aws.amazon.com/organizations/latest/userguide/orgs%5Fmanage%5Fpolicies%5Fscps.html) (SCPs) from [AWS Organizations](https://docs.aws.amazon.com/controltower/latest/userguide/organizations.html). You can enforce organization-wide policies or have specific policies for organization units. For example, you can authorize your HR unit to issue certificates for the domain name HR.example.com while your IT department can only issue certificates for IT.example.com. You can also enforce these policies at account creation through [AWS CloudFormation](https://aws.amazon.com/cloudformation/). Learn more about this feature [here](https://docs.aws.amazon.com/acm/latest/userguide/acm-conditions.html) and [get started with ACM](https://aws.amazon.com/certificate-manager/getting-started/). This feature is available in all [AWS Regions](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/) where ACM is available, including the AWS GovCloud (US) Regions.