Menu
AWS Certificate Manager
User Guide (Version 1.0)

Inline Policies

Inline policies are policies that you create and manage and embed directly into a single user, group, or role. The following policy examples show you how to assign permissions to perform ACM actions. For more information about attaching inline policies, see Working with Inline Policies in the IAM User Guide.

Listing Certificates

The following policy allows a user to list all of the ACM Certificates in the user's account.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "acm:ListCertificates",
    "Resource": "*"
  }]
}

Note

This permission is required for ACM Certificates to appear in the Elastic Load Balancing and CloudFront consoles.

Retrieving a Certificate

The following policy allows a user to retrieve a specific ACM Certificate.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "acm:GetCertificate",
    "Resource": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
  }
}

Deleting a Certificate

The following policy allows a user to delete a specific ACM Certificate.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "acm:DeleteCertificate",
    "Resource": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
  }
}

Read-only Access to ACM

The following policy allows a user to describe and list an ACM Certificate and to retrieve the ACM Certificate and certificate chain.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "acm:DescribeCertificate",
      "acm:ListCertificates",
      "acm:GetCertificate",
      "acm:ListTagsForCertificate"
    ],
    "Resource": "*"
  }
}

Note

This policy is available as an AWS-managed policy in the AWS Management Console. For more information, see AWSCertificateManagerReadOnly. To view the managed policy in the console, go to https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly.

Full Access to ACM

The following policy allows a user to perform any ACM action.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["acm:*"],
    "Resource": "*"
  }]
}

Note

This policy is available as an AWS-managed policy in the AWS Management Console. For more information, see AWSCertificateManagerFullAccess. To view the managed policy in the console, go to https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess.

Administrator Access to All AWS Resources

The following policy allows a user to perform any action on any AWS resource.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }]
}

Note

This policy is available as an AWS-managed policy in the AWS Management Console. To view the managed policy in the console, go to https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AdministratorAccess.