Resource-based policies - Amazon Private Certificate Authority
Policy examples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resource-based policies

Resource-based policies are permissions policies that you create and manually attach to a resource (in this case, a private CA) rather than to a user identity or role. Or, instead of creating your own policies, you can use Amazon managed policies for Amazon Private CA. Using Amazon RAM to apply a resource-based policy, an Amazon Private CA administrator can share access to a CA with a user in a different Amazon account directly or through Amazon Organizations. Alternatively, an Amazon Private CA administrator can use the PCA APIs PutPolicy, GetPolicy, and DeletePolicy, or the corresponding Amazon CLI commands put-policy, get-policy, and delete-policy, to apply and manage resource-based policies.

For general information about resource-based policies, see Identity-Based Policies and Resource-Based Policies and Controlling Access Using Policies.

To view the list of Amazon managed resource-based policies for Amazon Private CA, navigate to the Managed permissions library in the Amazon Resource Access Manager console, and search for CertificateAuthority. As with any policy, before you apply it, we recommend applying the policy in a test environment to ensure that it meets your requirements.

Amazon Private CA also supports RAM customer managed permissions, which allow you to define a custom combination of actions from the following set: DescribeCertificateAuthority, GetCertificate, GetCertificateAuthorityCertificate, ListPermissions, ListTags, IssueCertificate, and RevokeCertificate. Customer managed permissions give you the flexibility to grant least-privilege access – for example, granting read-only access to some accounts while allowing others to issue and revoke certificates. For more information, see Customer managed permissions in RAM.

Amazon Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. When you grant permission to the IssueCertificate action, you can restrict the certificate templates used for certificate issuance by adding a acm-pca:TemplateArn Condition to the policy.

Policy examples

This section provides example cross-account policies for various needs. In all cases, the following command pattern is used to apply a policy:

$ aws acm-pca put-policy \
   --region region \
   --resource-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \
   --policy file:///[path]/policyN.json

In addition to specifying the ARN of a CA, the administrator provides an Amazon account ID or an Amazon Organizations ID that will be granted access to the CA. The JSON of each of the following polices is formatted as a file for readability, but can also be supplied as an inline CLI arguments.

Note

The structure of the JSON resource-based polices shown below must be followed precisely. Only the ID fields for the principals (the Amazon account number or the Amazon Organizations ID) and the CA ARNs can be configured by customers.

  1. File: policy1.json – Sharing access to a CA with a user in a different account

    Replace 555555555555 with the Amazon account ID that's sharing the CA.

    For the resource ARN, replace the following with your own values:

    • aws - The Amazon partition. For example, aws, aws-us-gov, aws-cn, etc.

    • us-east-1 - The Amazon Region that the resource is available in, such as us-west-1.

    • 111122223333 - The Amazon account ID of the resource owner.

    • 11223344-1234-1122-2233-112233445566 - The resource ID of the certificate authority.

    JSON
    {
    "Version":"2012-10-17",
    "Statement": [{
            "Sid": "ExampleStatementID",
            "Effect": "Allow",
            "Principal": {
                "AWS": "555555555555"
            },
            "Action": [
                "acm-pca:DescribeCertificateAuthority",
                "acm-pca:GetCertificate",
                "acm-pca:GetCertificateAuthorityCertificate",
                "acm-pca:ListPermissions",
                "acm-pca:ListTags"
            ],
            "Resource": "arn:aws-cn:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID"
        },
        {
            "Sid": "ExampleStatementID2",
            "Effect": "Allow",
            "Principal": {
                "AWS": "555555555555"
            },
            "Action": [
                "acm-pca:IssueCertificate"
            ],
            "Resource": "arn:aws-cn:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID",
            "Condition": {
                "StringEquals": {
                    "acm-pca:TemplateArn": "arn:aws-cn:acm-pca:::template/EndEntityCertificate/V1"
                }
            }
        }
    ]
}

  2. File: policy2.json – Sharing access to a CA through Amazon Organizations

    Replace o-a1b2c3d4z5 with the Amazon Organizations ID.

    For the resource ARN, replace the following with your own values:

    • aws - The Amazon partition. For example, aws, aws-us-gov, aws-cn, etc.

    • us-east-1 - The Amazon Region that the resource is available in, such as us-west-1.

    • 111122223333 - The Amazon account ID of the resource owner.

    • 11223344-1234-1122-2233-112233445566 - The resource ID of the certificate authority.

    JSON
    {
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid": "ExampleStatementID3",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "acm-pca:IssueCertificate",
            "Resource":"arn:aws-cn:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID",
            "Condition": {
                "StringEquals": {
                    "acm-pca:TemplateArn": "arn:aws-cn:acm-pca:::template/EndEntityCertificate/V1",
                    "aws:PrincipalOrgID": "o-a1b2c3d4z5"
                },
                "StringNotEquals": {
                    "aws:PrincipalAccount": "111122223333"
                }
            }
        },
        {
            "Sid": "ExampleStatementID4",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "acm-pca:DescribeCertificateAuthority",
                "acm-pca:GetCertificate",
                "acm-pca:GetCertificateAuthorityCertificate",
                "acm-pca:ListPermissions",
                "acm-pca:ListTags"
            ],
            "Resource":"arn:aws-cn:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-a1b2c3d4z5"
                },
                "StringNotEquals": {
                    "aws:PrincipalAccount": "111122223333"
                }
            }
        }
    ]
}