Updates to AWS managed policies for AWS Private CA

AWS managed policies

AWS Private CA includes a set of predefined AWS managed policies for AWS Private CA administrators, users, and auditors. Understanding these policies can help you implement Customer managed policies.

Choose any of the policies listed below to see details and sample policy code.

Grants unrestricted administrative control.

For a JSON listing of the policy details, see AWSPrivateCAFullAccess.

Grants access limited to read-only API operations.

For a JSON listing of the policy details, see AWSPrivateCAReadOnly.

Grants ability to issue and revoke CA certificates. This policy has no other administrative capabilities and no ability to issue end-entity certificates. Permissions are mutually exclusive with the User policy.

For a JSON listing of the policy details, see AWSPrivateCAPrivilegedUser.

Grant ability to issue and revoke end-entity certificates. This policy has no administrative capabilities and no ability to issue CA certificates. Permissions are mutually exclusive with the PrivilegedUser policy.

For a JSON listing of the policy details, see AWSPrivateCAUser.

Grant access to read-only API operations and permission to generate a CA audit report.

For a JSON listing of the policy details, see AWSPrivateCAAuditor.

Grants essential permissions for the AWS Private CA Connector for Kubernetes.

For a JSON listing of the policy details, see AWSPrivateCAConnectorForKubernetesPolicy.

Updates to AWS managed policies for AWS Private CA

In the following table, view details about updates to AWS managed policies for AWS Private CA since the service began tracking these changes. For automatic alerts about all changes to AWS Private CA, subscribe to the RSS feed on the Document History page.

Managed policy changes
Change	Description	Date
New Policy: AWSPrivateCAConnectorForKubernetesPolicy	New managed policy introduced for use with AWS Private CA Connector for Kubernetes.	May 19, 2025
AWSPrivateCAPrivilegedUser and AWSPrivateCAUser - Updated policy	Replaced `StringLike` with `ArnLike`, and `StringNotLike` with `ArnNotLike`. Updated template arn to include wild cards `arn:aws:acm-pca:::template` to `arn:aws:acm-pca:::template`.	January 22, 2025
New policy names: `AWSPrivateCAFullAccess` `AWSPrivateCAReadOnly` `AWSPrivateCAPrivilegedUser` `AWSPrivateCAAuditor` `AWSPrivateCAUser`	Policy name prefixes were changed from `AWSCertificateManagerPrivateCA` to `AWSPrivateCA`. Functionality remains unchanged.	February 13, 2023

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

API permissions

Customer managed policies