It would be nice to have more complete documentation (e.g., a full sample event) for the various AWS_ACM_RENEWAL_STATE_CHANGE events.

AWS Support provided me with these sample EventBridge events:

ACM PCA (private) renewal

{
  "source": ["aws.health"],
  "detail-type": ["AWS Health Event"],
  "detail": {
    "service": ["ACM"],
    "eventTypeCategory": ["scheduledChange"],
    "eventTypeCode": ["AWS_ACM_RENEWAL_STATE_CHANGE"],
    "eventDescription": {
      "latestDescription": [{
        "prefix": "AWS Certificate Manager (ACM) has completed the renewal"
      }]
    }
  }
}

ACM renewal

{
  "source": ["aws.health"],
  "detail-type": ["AWS Health Event"],
  "detail": {
    "service": ["ACM"],
    "eventTypeCategory": ["scheduledChange"],
    "eventTypeCode": ["AWS_ACM_RENEWAL_STATE_CHANGE"],
    "eventDescription": {
      "latestDescription": [{
        "prefix": "This is to notify you that AWS Certificate Manager (ACM) has completed the renewal"
      }]
    }
  }
}

Note that the difference is super subtle (in the description only).

Having these events fully documented (e.g., sample events for every variation of AWS_ACM_RENEWAL_STATE_CHANGE) would be helpful so we could be more confident using them.

https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html#acm-nitro-enclave

The link to "nitro enclave" at the top of the page is broken. It should link to a definition of nitro enclave.

Note
Public ACM certificates can be installed on Amazon EC2 instances that are connected to a Nitro Enclave, but not to other Amazon EC2 instances. 

I think that the recipient who is notified when automatic validation fails is to the root user email address, but the documentation says notify to domain owner.

I think the owner of a domain may change over a period of time. Therefore, I think that it is easier to understand if the notification destination is clearly described. (e.i root user email address)

https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html

If ACM cannot automatically validate a domain name, it notifies the domain owner that manual action is needed to validate the domain and complete certificate renewal.

If you have any code samples that you think would improve the ACM User Guide, please let me know!
Submit a pull request as explained in these directions: https://github.com/awsdocs/amazon-s3-developer-guide/blob/master/CONTRIBUTING.md .

Requirement - Any API exist to get private key for public certificate as the public certificate is created by a client

Export certificate does the same, but only for private certificate - https://docs.aws.amazon.com/acm/latest/userguide/sdk-export.html

This documentation makes it seem like ACM supports 4096-bit keys, which it does, except when it comes to supporting them on ALB/CLBs.

Note that integrated services allow only algorithms and key sizes they support to be associated with their resources. Further, their support differs depending on whether the certificate is imported into IAM or into ACM. For more information, see the documentation for each service.

Is meant to clarify that, but it's pretty ambiguous. Not even our enterprise support engineer understood that to mean that I have to use IAM to upload a 4096-bit key.

I would like to add to the documentation that Load Balancers specifically can't support 4096-bit keys from ACM, but it seems like such a one-off bullet to add. Not to mention that bullets in this repo don't seem to match up with the corresponding page on production: https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html

Please advise

ACM Certificates are X.509 SSL/TLS certificates that bind the identity of your website and the details of your organization to the public key that is contained in the certificate. ACM uses the your customer master key (CMK) to encrypt the private key. For more information, see ACM Private Key Security.

ACM uses the your customer master key (CMK) to encrypt the private key.

Should it not be:

ACM uses the customer master key (CMK) to encrypt the private key.