AWS Certificate Manager and Certificate Pinning
As a background, please review Out with HPKP, in with CAA? to re-familiarize yourself with HTTP Public Key Pinning (HPKP) and Certificate Authority Authorization (CAA).
Today, I saw How to Prepare for AWS’s Move to Its Own Certificate Authority | AWS Security Blog and saw this comment about Certificate Pinning:
AWS recommends against using certificate pinning because it introduces a potential availability risk. If the certificate to which you pin is replaced, your application will fail to connect. If your use case requires pinning, we recommend that you pin to a CA rather than to an individual certificate. If you are pinning to an Amazon Trust Services CA, you should pin to all CAs shown in the table earlier in this post.
It wasn’t mentioned in that blog posting, but AWS Certificate Manager works with CAA Records (see (Optional) Configure a CAA Record) and as of August 2017 Amazon Route 53 now supports CAA records.
It Seems like we don’t want to pin one’s hopes on HPKP.