# Security best practices for Cross-account access to private CAs
<a name="pca-resource-sharing"></a>

An Amazon Private CA administrator can share a CA with principals (users, roles, etc.) in another Amazon Web Services account. When a share has been received and accepted, the principal can use the CA to issue end-entity certificates using Amazon Private CA or Amazon Certificate Manager resources. The principal can use the CA to issue subordinate CA certificates using Amazon Private CA.

**Important**  
Charges associated with a certificate issued in a cross-account scenario are billed to the Amazon account that issues the certificate.

To share access to a CA, Amazon Private CA administrators can choose either of the following methods:
+ Use Amazon Resource Access Manager (RAM) to share the CA as a resource with a principal in another account or with Amazon Organizations. RAM is a standard method for sharing Amazon resources across accounts. For more information about RAM, see the [Amazon RAM User Guide](https://docs.amazonaws.cn/ram/latest/userguide/). For more information about Amazon Organizations, see the [Amazon Organizations User Guide](https://docs.amazonaws.cn/organizations/latest/userguide/).
+ Use the Amazon Private CA API or CLI to attach a resource-based policy to a CA, thereby granting access to a principal in another account. For more information, see [Resource-based policies](pca-rbp.md).

The [Control access to the private CA](granting-ca-access.md) section of this guide provides workflows for granting access to CAs in both single-account and cross-account scenarios.