Security best practices for Cross-account access to private CAs

An AWS Private CA administrator can share a CA with principals (users, roles, etc.) in another AWS account . When a share has been received and accepted, the principal can use the CA to issue end-entity certificates using AWS Private CA or AWS Certificate Manager resources. The principal can use the CA to issue subordinate CA certificates using AWS Private CA.

Important

Charges associated with a certificate issued in a cross-account scenario are billed to the AWS account that issues the certificate.

To share access to a CA, AWS Private CA administrators can choose either of the following methods:

Use AWS Resource Access Manager (RAM) to share the CA as a resource with a principal in another account or with AWS Organizations. RAM is a standard method for sharing AWS resources across accounts. For more information about RAM, see the AWS RAM User Guide. For more information about AWS Organizations, see the AWS Organizations User Guide.
Use the AWS Private CA API or CLI to attach a resource-based policy to a CA, thereby granting access to a principal in another account. For more information, see Resource-based policies.

The Controlling access to a private CA section of this guide provides workflows for granting access to CAs in both single-account and cross-account scenarios.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Inline policies

Resource-based policies