diff --git a/src/constants/regex-pattern.test.ts b/src/constants/regex-pattern.test.ts
index 6dab0bc0a..dabea84a6 100644
--- a/src/constants/regex-pattern.test.ts
+++ b/src/constants/regex-pattern.test.ts
@@ -25,4 +25,10 @@ describe("the regex patterns", () => {
     expect(regex.test("another.@theguardian.com")).toBeFalsy();
     expect(regex.test("another1@theguardian.com")).toBeFalsy();
   });
+
+  it("should successfully regex against ACM ARNs", () => {
+    const regex = new RegExp(RegexPattern.ACM_ARN);
+    expect(regex.test("arn:aws:acm:eu-west-1:000000000000:certificate/123abc-0000-0000-0000-123abc")).toBeTruthy();
+    expect(regex.test("arn:aws:acm:eu-west-1:000000000000:tls/123abc-0000-0000-0000-123abc")).toBeFalsy();
+  });
 });
diff --git a/src/constants/regex-pattern.ts b/src/constants/regex-pattern.ts
index 8e682dd35..7bdd79cae 100644
--- a/src/constants/regex-pattern.ts
+++ b/src/constants/regex-pattern.ts
@@ -5,8 +5,12 @@ const s3ArnRegex = `arn:aws:s3:::${s3BucketRegex}*`;
 
 const emailRegex = "^[a-zA-Z]+(\\.[a-zA-Z]+)*@theguardian.com$";
 
+// TODO be more strict on region?
+const acmRegex = "arn:aws:acm:[0-9a-z\\-]+:[0-9]{12}:certificate/[0-9a-z\\-]+";
+
 export const RegexPattern = {
   ARN: arnRegex,
   S3ARN: s3ArnRegex,
   GUARDIAN_EMAIL: emailRegex,
+  ACM_ARN: acmRegex,
 };