ACM API permissions: Actions and resources reference - AWS Certificate Manager

ACM API permissions: Actions and resources reference

When you set up access control and write permissions policies that you can attach to an IAM user or role, you can use the following table as a reference. The first column in the table lists each AWS Certificate Manager API operation. You specify actions in a policy's Action element. The remaining columns provide the additional information:

You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see Available Keys in the IAM User Guide.

Note

To specify an action, use the acm: prefix followed by the API operation name (for example, acm:RequestCertificate).

Use the scroll bars to see the rest of the table.

ACM API operations and permissions
ACM API Operations Required Permissions (API Operations) Resources

AddTagsToCertificate

acm:AddTagsToCertificate

arn:aws:acm:region:account:certificate/certificate_ID

DeleteCertificate

acm:DeleteCertificate

arn:aws:acm:region:account:certificate/certificate_ID

DescribeCertificate

acm:DescribeCertificate

arn:aws:acm:region:account:certificate/certificate_ID

ExportCertificate

acm:ExportCertificate

arn:aws:acm:region:account:certificate/certificate_ID

GetAccountConfiguration

acm:GetAccountConfiguration

*

GetCertificate

acm:GetCertificate

arn:aws:acm:region:account:certificate/certificate_ID

ImportCertificate

acm:ImportCertificate

arn:aws:acm:region:account:certificate/*

or

*

ListCertificates

acm:ListCertificates

*

ListTagsForCertificate

acm:ListTagsForCertificate

arn:aws:acm:region:account:certificate/certificate_ID

PutAccountConfiguration

acm:PutAccountConfiguration

*

RemoveTagsFromCertificate

acm:RemoveTagsFromCertificate

arn:aws:acm:region:account:certificate/certificate_ID

RequestCertificate

acm:RequestCertificate

arn:aws:acm:region:account:certificate/*

or

*

ResendValidationEmail

acm:ResendValidationEmail

arn:aws:acm:region:account:certificate/certificate_ID

UpdateCertificateOptions

acm:UpdateCertificateOptions

arn:aws:acm:region:account:certificate/certificate_ID