Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Inline policies
Inline policies are policies that you create and manage and embed directly into a
user, group, or role. The following policy examples show how to assign permissions
to perform Amazon Private CA actions. For general information about inline policies, see
Working with Inline Policies in the IAM User Guide. You can use the
Amazon Web Services Management Console, the Amazon Command Line Interface (Amazon CLI), or the IAM API to create and embed inline
policies.
We strongly recommend the use of multi-factor authentication (MFA) any time
you access Amazon Private CA.
Listing private CAs
The following policy allows a user to list all of the private CAs in an
account.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"acm-pca:ListCertificateAuthorities",
"Resource":"*"
}
]
}
Retrieving a private CA
certificate
The following policy allows a user to retrieve a specific private CA
certificate.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"acm-pca:GetCertificateAuthorityCertificate",
"Resource":"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID"
}
}
Importing a private CA
certificate
The following policy allows a user to import a private CA certificate.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"acm-pca:ImportCertificateAuthorityCertificate",
"Resource":"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID"
}
}
Deleting a private CA
The following policy allows a user to delete a specific private CA.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"acm-pca:DeleteCertificateAuthority",
"Resource":"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID" }
}
Tag-on-create: Attaching tags to a CA at the
time of creation
The following policy allows a user to apply tags during CA creation.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"acm-pca:CreateCertificateAuthority",
"acm-pca:TagCertificateAuthority"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Tag-on-create: Restricted
tagging
The following tag-on-create policy prevents
use of the key-value pair Environment=Prod during CA creation. Tagging with
other key-value pairs is allowed.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"acm-pca:*",
"Resource":"*"
},
{
"Effect":"Deny",
"Action":"acm-pca:TagCertificateAuthority",
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/Environment":[
"Prod"
]
}
}
}
]
}
Controlling access to Private CA
using tags
The following policy allows access only to CAs with the key-value pair
Environment=PreProd. It also requires that new CAs include this tag.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"acm-pca:*"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/Environment":[
"PreProd"
]
}
}
}
]
}
Read-only access to Amazon Private CA
The following policy allows a user to describe and list private certificate
authorities and to retrieve the private CA certificate and certificate chain.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":[
"acm-pca:DescribeCertificateAuthority",
"acm-pca:DescribeCertificateAuthorityAuditReport",
"acm-pca:ListCertificateAuthorities",
"acm-pca:ListTags",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:GetCertificateAuthorityCsr",
"acm-pca:GetCertificate"
],
"Resource":"*"
}
}
Full access to Amazon Private CA
The following policy allows a user to perform any Amazon Private CA action.
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"acm-pca:*"
],
"Resource":"*"
}
]
}