ACM API permissions: Actions and resources reference - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

ACM API permissions: Actions and resources reference

When you set up access control and write permissions policies that you can attach to an IAM user or role, you can use the following table as a reference. The first column in the table lists each Amazon Certificate Manager API operation. You specify actions in a policy's Action element. The remaining columns provide the additional information:

You can use the IAM policy elements in your ACM policies to express conditions. For a complete list, see Available Keys in the IAM User Guide.

Note

To specify an action, use the acm: prefix followed by the API operation name (for example, acm:RequestCertificate).

If you see an expand arrow () in the upper-right corner of the table, you can open the table in a new window. To close the window, choose the close button (X) in the lower-right corner.

ACM API operations and permissions
ACM API Operations Required Permissions (API Operations) Resources

AddTagsToCertificate

acm:AddTagsToCertificate

arn:aws:acm:region:account:certificate/certificate_ID

DeleteCertificate

acm:DeleteCertificate

arn:aws:acm:region:account:certificate/certificate_ID

DescribeCertificate

acm:DescribeCertificate

arn:aws:acm:region:account:certificate/certificate_ID

ExportCertificate

acm:ExportCertificate

arn:aws:acm:region:account:certificate/certificate_ID

GetAccountConfiguration

acm:GetAccountConfiguration

*

GetCertificate

acm:GetCertificate

arn:aws:acm:region:account:certificate/certificate_ID

ImportCertificate

acm:ImportCertificate

arn:aws:acm:region:account:certificate/*

or

*

ListCertificates

acm:ListCertificates

*

ListTagsForCertificate

acm:ListTagsForCertificate

arn:aws:acm:region:account:certificate/certificate_ID

PutAccountConfiguration

acm:PutAccountConfiguration

*

RemoveTagsFromCertificate

acm:RemoveTagsFromCertificate

arn:aws:acm:region:account:certificate/certificate_ID

RequestCertificate

acm:RequestCertificate

arn:aws:acm:region:account:certificate/*

or

*

ResendValidationEmail

acm:ResendValidationEmail

arn:aws:acm:region:account:certificate/certificate_ID

UpdateCertificateOptions

acm:UpdateCertificateOptions

arn:aws:acm:region:account:certificate/certificate_ID