Menu
AWS Certificate Manager
User Guide (Version 1.0)

ACM API Permissions: Actions and Resources Reference

When you are setting up access control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The first column in the table lists each ACM API operation. You specify actions in a policy's Action element. The remaining columns provide the additional information:

You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see Available Keys in the IAM User Guide.

Note

To specify an action, use the acm: prefix followed by the API operation name (for example, acm:RequestCertificate).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

ACM API Operations and Permissions

ACM API Operations Required Permissions (API Actions) Resources

AddTagsToCertificate

acm:AddTagsToCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

DeleteCertificate

acm:DeleteCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

DescribeCertificate

acm:DescribeCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

GetCertificate

acm:GetCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

ImportCertificate

acm:ImportCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

ListCertificates

acm:ListCertificates

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

ListTagsForCertificate

acm:ListTagsForCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

RemoveTagsFromCertificate

acm:RemoveTagsFromCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

RequestCertificate

acm:RequestCertificate

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID

ResendValidationEmail

acm:ResendValidationEmail

arn:aws:acm:AWS_region:AWS_account_ID:certificate/certificate_ID