Identity and Access Management for AWS Certificate Manager Private Certificate Authority - AWS Certificate Manager Private Certificate Authority

Identity and Access Management for AWS Certificate Manager Private Certificate Authority

Access to ACM Private CA requires credentials that AWS can use to authenticate your requests. The following topics provide details on how you can use AWS Identity and Access Management (IAM) to help secure your private certificate authorities (CAs) by controlling who can access them.


You can access AWS as any of the following types of identities:

  • AWS account root user – When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.

  • IAM user – An IAM user is an identity within your AWS account that has specific custom permissions (for example, permissions to create a directory in ACM Private CA). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the AWS Support Center.

    In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access AWS services programmatically, either through one of the several SDKs or by using the AWS Command Line Interface (CLI). The SDK and CLI tools use the access keys to cryptographically sign your request. If you don’t use AWS tools, you must sign the request yourself. ACM Private CA supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 signing process in the AWS General Reference.

  • IAM role – An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles with temporary credentials are useful in the following situations:

    • Federated user access – Instead of creating an IAM user, you can use existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated users and roles in the IAM User Guide.

    • AWS service access – A service role is an IAM role that a service assumes to perform actions on your behalf. An IAM administrator can create, modify, and delete a service role from within IAM. For more information, see Creating a role to delegate permissions to an AWS service in the IAM User Guide.

    • Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide.

Understanding resources, ownership, and permissions policies

In ACM Private CA, the primary resource that you work with is a certificate authority (CA). Every private CA that you own or control is identified by an Amazon Resource Name (ARN), which has the following form.


A resource owner is the principal entity of the AWS account in which an AWS resource is created. The following examples illustrate how this works.

  • If you use the credentials of your AWS account root user to create a private CA, your AWS account owns the CA.

  • If you create an IAM user in your AWS account, you can grant that user permission to create a private CA. However, the account to which that user belongs owns the CA.

  • If you create an IAM role in your AWS account and grant it permission to create a private CA, anyone who can assume the role can create the CA. However, the account to which the role belongs will own the private CA.

A permissions policy describes who has access to what. The following discussion explains the available options for creating permissions policies.


This documentation discusses using IAM in the context of ACM Private CA. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see the IAM User Guide. For information about IAM policy syntax and descriptions, see AWS IAM Policy Reference.

When you set up access control and permissions policies that you plan to attach to an IAM identity (identity-based policies), use the following table as a reference. The first column in the table lists each ACM Private CA API operation. You specify actions in a policy's Action element. The remaining columns provide the additional information.

ACM Private CA API operations and permissions
ACM Private CA API operations Required permissions Resources







CreatePermission acm-pca:CreatePermission arn:aws:acm-pca:region:account:certificate-authority/CA_ID




DeletePermission acm-pca:DeletePermission arn:aws:acm-pca:region:account:certificate-authority/CA_ID
DeletePolicy acm-pca:DeletePolicy arn:aws:acm-pca:region:account:certificate-authority/CA_ID
















GetPolicy acm-pca:GetPolicy arn:aws:acm-pca:region:account:certificate-authority/CA_ID










ListPermissions acm-pca:ListPermissions arn:aws:acm-pca:region:account:certificate-authority/CA_ID




PutPolicy acm-pca:PutPolicy arn:aws:acm-pca:region:account:certificate-authority/CA_ID













You can use IAM to create policies that apply permissions to IAM users, groups, and roles. These are called identity-based policies. IAM offers the following types of identity-based policies:

  • AWS managed policies are policies available by default with ACM Private CA. These policies cover basic user roles.

  • Customer managed policies are policies that you create and manage in your AWS account and which you can attach to multiple users, groups, and roles. You have more precise control when using customer managed policies than you have when using AWS managed policies.

  • Inline policies are policies that you create and manage and which you embed directly into a single user, group, or role.

  • Resource-based policies are used by ACM Private CA to enable cross-account access to private CAs.

AWS managed policies

ACM Private CA includes a set of predefined AWS managed policies for administrators, users, and auditors. Understanding these policies can help you implement Customer managed policies.

  • FullAccess – Unrestricted administrative control.

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:*" ], "Resource":"*" } ] }
  • ReadOnly – Access limited to read-only API operations.

    { "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":[ "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:ListCertificateAuthorities", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"*" } }
  • PrivilegedUser – Ability to issue and revoke CA certificates. This policy has no other administrative capabilities and no ability to issue end-entity certificates. Permissions are mutually exclusive with the User policy.

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/*CACertificate*/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/*CACertificate*/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }
  • User – Ability to issue and revoke end-entity certificates. This policy has no administrative capabilities and no ability to issue CA certificates. Permissions are mutually exclusive with the PrivilegedUser policy.

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/EndEntityCertificate/V*" ] } } }, { "Effect":"Deny", "Action":[ "acm-pca:IssueCertificate" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*", "Condition":{ "StringNotLike":{ "acm-pca:TemplateArn":[ "arn:aws:acm-pca:::template/EndEntityCertificate/V*" ] } } }, { "Effect":"Allow", "Action":[ "acm-pca:RevokeCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }
  • Auditor – Access to read-only API operations and permission to generate a CA audit report.

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:CreateCertificateAuthorityAuditReport", "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificate", "acm-pca:ListPermissions", "acm-pca:ListTags" ], "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*" }, { "Effect":"Allow", "Action":[ "acm-pca:ListCertificateAuthorities" ], "Resource":"*" } ] }

Customer managed policies

As a best practice, don't use your AWS account root user to interact with AWS, including ACM Private CA. Instead use AWS Identity and Access Management (IAM) to create an IAM user, IAM role, or federated user. Create an administrator group and add yourself to it. Then log in as an administrator. Add additional users to the group as needed.

Another best practice is to create a customer managed IAM policy that you can assign to users. Customer managed policies are standalone identity-based policies that you create and which you can attach to multiple users, groups, or roles in your AWS account. Such a policy restricts users to performing only the ACM Private CA actions that you specify.

The following example customer-managed policy allows a user to create a CA audit report. This is an example only. You can choose any ACM Private CA operations that you want. For more examples, see Inline policies.

To create a customer managed policy

  1. Sign in to the IAM console using the credentials of an AWS administrator.

  2. In the navigation pane of the console, choose Policies.

  3. Choose Create policy.

  4. Choose the JSON tab.

  5. Copy the following policy and paste it into the editor.

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"acm-pca:CreateCertificateAuthorityAuditReport", "Resource":"*" } ] }
  6. Choose Review policy.

  7. For Name, type PcaListPolicy.

  8. (Optional) Type a description.

  9. Choose Create policy.

An administrator can attach the policy to any IAM user to limit what ACM Private CA actions the user can perform. For ways to apply a permissions policy, see Changing Permissions for an IAM User in the IAM User Guide.

Inline policies

Inline policies are policies that you create and manage and embed directly into a user, group, or role. The following policy examples show how to assign permissions to perform ACM Private CA actions. For general information about inline policies, see Working with Inline Policies in the IAM User Guide. You can use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API to create and embed inline policies.

Listing private CAs

The following policy allows a user to list all of the private CAs in an account.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"acm-pca:ListCertificateAuthorities", "Resource":"*" } ] }

Retrieving a private CA certificate

The following policy allows a user to retrieve a specific private CA certificate.

{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"acm-pca:GetCertificateAuthorityCertificate", "Resource":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID" } }

Importing a private CA certificate

The following policy allows a user to import a private CA certificate.

{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"acm-pca:ImportCertificateAuthorityCertificate", "Resource":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID" } }

Deleting a private CA

The following policy allows a user to delete a specific private CA.

{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"acm-pca:DeleteCertificateAuthority", "Resource":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID" } }

Read-only access to ACM Private CA

The following policy allows a user to describe and list private certificate authorities and to retrieve the private CA certificate and certificate chain.

{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":[ "acm-pca:DescribeCertificateAuthority", "acm-pca:DescribeCertificateAuthorityAuditReport", "acm-pca:ListCertificateAuthorities", "acm-pca:ListTags", "acm-pca:GetCertificateAuthorityCertificate", "acm-pca:GetCertificateAuthorityCsr", "acm-pca:GetCertificate" ], "Resource":"*" } }

Full access to ACM Private CA

The following policy allows a user to perform any ACM Private CA action.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "acm-pca:*" ], "Resource":"*" } ] }

Administrator access to all AWS resources

The following policy allows a user to perform any action on any AWS resource.

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"*", "Resource":"*" } ] }