ACM API permissions: Actions and resources reference

When you set up access control and write permissions policies that you can attach to an IAM user or role, you can use the following table as a reference. The first column in the table lists each AWS Certificate Manager API operation. You specify actions in a policy's Action element. The remaining columns provide the additional information:

You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see Available Keys in the IAM User Guide.

Note

To specify an action, use the acm: prefix followed by the API operation name (for example, acm:RequestCertificate).

Use the scroll bars to see the rest of the table.

ACM API operations and permissions
ACM API Operations	Required Permissions (API Operations)	Resources
AddTagsToCertificate	acm:AddTagsToCertificate	arn:aws:acm:region:account:certificate/certificate_ID
DeleteCertificate	acm:DeleteCertificate	arn:aws:acm:region:account:certificate/certificate_ID
DescribeCertificate	acm:DescribeCertificate	arn:aws:acm:region:account:certificate/certificate_ID
ExportCertificate	acm:ExportCertificate	arn:aws:acm:region:account:certificate/certificate_ID
GetAccountConfiguration	acm:GetAccountConfiguration	*
GetCertificate	acm:GetCertificate	arn:aws:acm:region:account:certificate/certificate_ID
ImportCertificate	acm:ImportCertificate	arn:aws:acm:region:account:certificate/* or *
ListCertificates	acm:ListCertificates	*
ListTagsForCertificate	acm:ListTagsForCertificate	arn:aws:acm:region:account:certificate/certificate_ID
PutAccountConfiguration	acm:PutAccountConfiguration	*
RemoveTagsFromCertificate	acm:RemoveTagsFromCertificate	arn:aws:acm:region:account:certificate/certificate_ID
RequestCertificate	acm:RequestCertificate	arn:aws:acm:region:account:certificate/* or *
ResendValidationEmail	acm:ResendValidationEmail	arn:aws:acm:region:account:certificate/certificate_ID
UpdateCertificateOptions	acm:UpdateCertificateOptions	arn:aws:acm:region:account:certificate/certificate_ID