Customer managed policies
As a best practice, don't use your Amazon Web Services account root user to interact with Amazon, including Amazon Private CA. Instead use Amazon Identity and Access Management (IAM) to create an IAM user, IAM role, or federated user. Create an administrator group and add yourself to it. Then log in as an administrator. Add additional users to the group as needed.
Another best practice is to create a customer managed IAM policy that you can assign to users. Customer managed policies are standalone identity-based policies that you create and which you can attach to multiple users, groups, or roles in your Amazon account. Such a policy restricts users to performing only the Amazon Private CA actions that you specify.
The following example customer-managed policy allows a user to create a CA audit report. This is an example only. You can choose any Amazon Private CA operations that you want. For more examples, see Inline policies.
To create a customer managed policy
-
Sign in to the IAM console using the credentials of an Amazon administrator.
-
In the navigation pane of the console, choose Policies.
-
Choose Create policy.
-
Choose the JSON tab.
-
Copy the following policy and paste it into the editor.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"acm-pca:CreateCertificateAuthorityAuditReport", "Resource":"*" } ] }
-
Choose Review policy.
-
For Name, type
PcaListPolicy
. -
(Optional) Type a description.
-
Choose Create policy.
An administrator can attach the policy to any IAM user to limit what Amazon Private CA actions the user can perform. For ways to apply a permissions policy, see Changing Permissions for an IAM User in the IAM User Guide.