Security best practices for Cross-account access to private CAs - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security best practices for Cross-account access to private CAs

An Amazon Private CA administrator can share a CA with principals (users, roles, etc.) in another Amazon account . When a share has been received and accepted, the principal can use the CA to issue end-entity certificates using Amazon Private CA or Amazon Certificate Manager resources. The principal can use the CA to issue subordinate CA certificates using Amazon Private CA.

Important

Charges associated with a certificate issued in a cross-account scenario are billed to the Amazon account that issues the certificate.

To share access to a CA, Amazon Private CA administrators can choose either of the following methods:

  • Use Amazon Resource Access Manager (RAM) to share the CA as a resource with a principal in another account or with Amazon Organizations. RAM is a standard method for sharing Amazon resources across accounts. For more information about RAM, see the Amazon RAM User Guide. For more information about Amazon Organizations, see the Amazon Organizations User Guide.

  • Use the Amazon Private CA API or CLI to attach a resource-based policy to a CA, thereby granting access to a principal in another account. For more information, see Resource-based policies.

The Controlling access to a private CA section of this guide provides workflows for granting access to CAs in both single-account and cross-account scenarios.