Security best practices for Cross-account access to private CAs
An Amazon Private CA administrator can share a CA with principals (users, roles, etc.) in another Amazon account . When a share has been received and accepted, the principal can use the CA to issue end-entity certificates using Amazon Private CA or Amazon Certificate Manager resources. The principal can use the CA to issue subordinate CA certificates using Amazon Private CA.
Important
Charges associated with a certificate issued in a cross-account scenario are billed to the Amazon account that issues the certificate.
To share access to a CA, Amazon Private CA administrators can choose either of the following methods:
-
Use Amazon Resource Access Manager (RAM) to share the CA as a resource with a principal in another account or with Amazon Organizations. RAM is a standard method for sharing Amazon resources across accounts. For more information about RAM, see the Amazon RAM User Guide. For more information about Amazon Organizations, see the Amazon Organizations User Guide.
-
Use the Amazon Private CA API or CLI to attach a resource-based policy to a CA, thereby granting access to a principal in another account. For more information, see Resource-based policies.
The Control access to the private CA section of this guide provides workflows for granting access to CAs in both single-account and cross-account scenarios.