Identity and Access Management (IAM) for AWS Private Certificate Authority

Access to AWS Private CA requires credentials that AWS can use to authenticate your requests. The following topics provide details on how you can use AWS Identity and Access Management (IAM) to help secure your private certificate authorities (CAs) by controlling who can access them.

In AWS Private CA, the primary resource that you work with is a certificate authority (CA). Every private CA that you own or control is identified by an Amazon Resource Name (ARN), which has the following form.

arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566

A resource owner is the principal entity of the AWS account in which an AWS resource is created. The following examples illustrate how this works.

• If you use the credentials of your AWS account root user to create a private CA, your AWS account owns the CA.

  Important

  • We do not advise using an AWS account root user to create CAs.

  • We strongly recommend the use of multi-factor authentication (MFA) any time you access AWS Private CA.

• If you create an IAM user in your AWS account, you can grant that user permission to create a private CA. However, the account to which that user belongs owns the CA.

• If you create an IAM role in your AWS account and grant it permission to create a private CA, anyone who can assume the role can create the CA. However, the account to which the role belongs will own the private CA.

A permissions policy describes who has access to what. The following discussion explains the available options for creating permissions policies.

Note

This documentation discusses using IAM in the context of AWS Private CA. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see the IAM User Guide. For information about IAM policy syntax and descriptions, see AWS IAM Policy Reference.