ACM API permissions: Actions and resources reference - AWS Certificate Manager

ACM API permissions: Actions and resources reference

When you set up access control and write permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The first column in the table lists each AWS Certificate Manager API operation. You specify actions in a policy's Action element. The remaining columns provide the additional information:

You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see Available Keys in the IAM User Guide.

Note

To specify an action, use the acm: prefix followed by the API operation name (for example, acm:RequestCertificate).

Use the scroll bars to see the rest of the table.

ACM API operations and permissions
ACM API Operations Required Permissions (API Operations) Resources

AddTagsToCertificate

acm:AddTagsToCertificate

arn:aws:acm:region:account:certificate/certificate_ID

DeleteCertificate

acm:DeleteCertificate

arn:aws:acm:region:account:certificate/certificate_ID

DescribeCertificate

acm:DescribeCertificate

arn:aws:acm:region:account:certificate/certificate_ID

ExportCertificate

acm:ExportCertificate

arn:aws:acm:region:account:certificate/certificate_ID

GetAccountConfiguration

acm:GetAccountConfiguration

*

GetCertificate

acm:GetCertificate

arn:aws:acm:region:account:certificate/certificate_ID

ImportCertificate

acm:ImportCertificate

arn:aws:acm:region:account:certificate/*

or

*

ListCertificates

acm:ListCertificates

*

ListTagsForCertificate

acm:ListTagsForCertificate

arn:aws:acm:region:account:certificate/certificate_ID

PutAccountConfiguration

acm:PutAccountConfiguration

*

RemoveTagsFromCertificate

acm:RemoveTagsFromCertificate

arn:aws:acm:region:account:certificate/certificate_ID

RequestCertificate

acm:RequestCertificate

arn:aws:acm:region:account:certificate/*

or

*

ResendValidationEmail

acm:ResendValidationEmail

arn:aws:acm:region:account:certificate/certificate_ID

UpdateCertificateOptions

acm:UpdateCertificateOptions

arn:aws:acm:region:account:certificate/certificate_ID