Amazon managed policies - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies

Amazon Private CA includes a set of predefined Amazon managed policies for Amazon Private CA administrators, users, and auditors. Understanding these policies can help you implement Customer managed policies.

Choose any of the policies listed below to see details and sample policy code.

Grants unrestricted administrative control.

For a JSON listing of the policy details, see AWSPrivateCAFullAccess.

Grants access limited to read-only API operations.

For a JSON listing of the policy details, see AWSPrivateCAReadOnly.

Grants ability to issue and revoke CA certificates. This policy has no other administrative capabilities and no ability to issue end-entity certificates. Permissions are mutually exclusive with the User policy.

For a JSON listing of the policy details, see AWSPrivateCAPrivilegedUser.

Grant ability to issue and revoke end-entity certificates. This policy has no administrative capabilities and no ability to issue CA certificates. Permissions are mutually exclusive with the PrivilegedUser policy.

For a JSON listing of the policy details, see AWSPrivateCAUser.

Grant access to read-only API operations and permission to generate a CA audit report.

For a JSON listing of the policy details, see AWSPrivateCAAuditor.

Grants essential permissions for the Amazon Private CA Connector for Kubernetes.

For a JSON listing of the policy details, see AWSPrivateCAConnectorForKubernetesPolicy.

Updates to Amazon managed policies for Amazon Private CA

In the following table, view details about updates to Amazon managed policies for Amazon Private CA since the service began tracking these changes. For automatic alerts about all changes to Amazon Private CA, subscribe to the RSS feed on the Document History page.

Managed policy changes
Change Description Date

New Policy: AmazonPrivateCAConnectorForKubernetesPolicy

New managed policy introduced for use with Amazon Private CA Connector for Kubernetes.

May 19, 2025

AmazonPrivateCAPrivilegedUser and AmazonPrivateCAUser - Updated policy

Replaced StringLike with ArnLike, and StringNotLike with ArnNotLike.

Updated template arn to include wild cards arn:aws:acm-pca:::template to arn:aws:acm-pca:*:*:template.

January 22, 2025

New policy names:

  • AmazonPrivateCAFullAccess

  • AmazonPrivateCAReadOnly

  • AmazonPrivateCAPrivilegedUser

  • AmazonPrivateCAAuditor

  • AmazonPrivateCAUser

Policy name prefixes were changed from AmazonCertificateManagerPrivateCA to AmazonPrivateCA.

Functionality remains unchanged.

February 13, 2023