Listing private CAs Retrieving a private CA certificate Importing a private CA certificate Deleting a private CA Tag-on-create: Attaching tags to a CA at the time of creation Tag-on-create: Restricted tagging Controlling access to Private CA using tags Read-only access to AWS Private CA Full access to AWS Private CA Administrator access to all AWS resources

Inline policies

Inline policies are policies that you create and manage and embed directly into a user, group, or role. The following policy examples show how to assign permissions to perform AWS Private CA actions. For general information about inline policies, see Working with Inline Policies in the IAM User Guide. You can use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API to create and embed inline policies.

Important

We strongly recommend the use of multi-factor authentication (MFA) any time you access AWS Private CA.

Topics

Listing private CAs
Retrieving a private CA certificate
Importing a private CA certificate
Deleting a private CA
Tag-on-create: Attaching tags to a CA at the time of creation
Tag-on-create: Restricted tagging
Controlling access to Private CA using tags
Read-only access to AWS Private CA
Full access to AWS Private CA
Administrator access to all AWS resources

Listing private CAs

The following policy allows a user to list all of the private CAs in an account.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"acm-pca:ListCertificateAuthorities",
         "Resource":"*"
      }
   ]
}

Retrieving a private CA certificate

The following policy allows a user to retrieve a specific private CA certificate.


{
   "Version":"2012-10-17",
   "Statement":{
      "Effect":"Allow",
      "Action":"acm-pca:GetCertificateAuthorityCertificate",
      "Resource":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
   }
}

Importing a private CA certificate

The following policy allows a user to import a private CA certificate.


{
   "Version":"2012-10-17",
   "Statement":{
      "Effect":"Allow",
      "Action":"acm-pca:ImportCertificateAuthorityCertificate",
      "Resource":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
   }
}

Deleting a private CA

The following policy allows a user to delete a specific private CA.


{
   "Version":"2012-10-17",
   "Statement":{
      "Effect":"Allow",
      "Action":"acm-pca:DeleteCertificateAuthority",
      "Resource":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
   }
}

Tag-on-create: Attaching tags to a CA at the time of creation

The following policy allows a user to apply tags during CA creation.


{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Action": [
            "acm-pca:CreateCertificateAuthority",
            "acm-pca:TagCertificateAuthority"
         ],
         "Effect": "Allow",
         "Resource": "*"
      }
   ]  
}

Tag-on-create: Restricted tagging

The following tag-on-create policy prevents use of the key-value pair Environment=Prod during CA creation. Tagging with other key-value pairs is allowed.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"acm-pca:*",
         "Resource":"*"
      },
      {
         "Effect":"Deny",
         "Action":"acm-pca:TagCertificateAuthority",
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "aws:ResourceTag/Environment":[
                  "Prod"
               ]
            }
         }
      }
   ]
}

Controlling access to Private CA using tags

The following policy allows access only to CAs with the key-value pair Environment=PreProd. It also requires that new CAs include this tag.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "acm-pca:*"
         ],
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "aws:ResourceTag/Environment":[
                  "PreProd"
               ]
            }
         }
      }
   ]
}

Read-only access to AWS Private CA

The following policy allows a user to describe and list private certificate authorities and to retrieve the private CA certificate and certificate chain.


{
   "Version":"2012-10-17",
   "Statement":{
      "Effect":"Allow",
      "Action":[
         "acm-pca:DescribeCertificateAuthority",
         "acm-pca:DescribeCertificateAuthorityAuditReport",
         "acm-pca:ListCertificateAuthorities",
         "acm-pca:ListTags",
         "acm-pca:GetCertificateAuthorityCertificate",
         "acm-pca:GetCertificateAuthorityCsr",
         "acm-pca:GetCertificate"
      ],
      "Resource":"*"
   }
}

Full access to AWS Private CA

The following policy allows a user to perform any AWS Private CA action.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "acm-pca:*"
         ],
         "Resource":"*"
      }
   ]
}

Administrator access to all AWS resources

The following policy allows a user to perform any action on any AWS resource.


{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"*",
         "Resource":"*"
      }
   ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Customer managed policies

Cross-account access