# Identity and Access Management (IAM) for Amazon Private Certificate Authority Access to Amazon Private CA requires credentials that Amazon can use to authenticate your requests. The following topics provide details on how you can use [Amazon Identity and Access Management (IAM)](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction.html) to help secure your private certificate authorities (CAs) by controlling who can access them. In Amazon Private CA, the primary resource that you work with is a *certificate authority (CA)*. Every private CA that you own or control is identified by an Amazon Resource Name (ARN), which has the following form. ``` arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 ``` A *resource owner* is the *principal entity* of the Amazon account in which an Amazon resource is created. The following examples illustrate how this works. + If you use the credentials of your Amazon Web Services account root user to create a private CA, your Amazon account owns the CA. **Important** We do not advise using an Amazon Web Services account root user to create CAs. We strongly recommend the use of multi-factor authentication (MFA) any time you access Amazon Private CA. + If you create an IAM user in your Amazon account, you can grant that user permission to create a private CA. However, the account to which that user belongs owns the CA. + If you create an IAM role in your Amazon account and grant it permission to create a private CA, anyone who can assume the role can create the CA. However, the account to which the role belongs will own the private CA. A *permissions policy* describes who has access to what. The following discussion explains the available options for creating permissions policies. **Note** This documentation discusses using IAM in the context of Amazon Private CA. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see the [IAM User Guide](https://docs.amazonaws.cn/IAM/latest/UserGuide/introduction.html). For information about IAM policy syntax and descriptions, see [Amazon IAM Policy Reference](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies.html).