Customer managed permissions in RAM - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Customer managed permissions in RAM

In addition to the Amazon managed permissions available in RAM, Amazon Private CA supports RAM customer managed permissions (CMP). Customer managed permissions allow CA owners to define a custom set of actions that cross-account principals can perform on a shared CA, providing finer-grained access control than the default Amazon managed permissions.

The following actions are available for customer managed permissions on the acm-pca:certificate-authority resource type:

Read actions

  • acm-pca:DescribeCertificateAuthority – View CA configuration and status.

  • acm-pca:GetCertificate – Retrieve an issued certificate.

  • acm-pca:GetCertificateAuthorityCertificate – Retrieve the CA certificate and certificate chain.

  • acm-pca:ListPermissions – List permissions assigned to the CA.

  • acm-pca:ListTags – List tags associated with the CA.

Write actions

  • acm-pca:IssueCertificate – Issue a certificate from the shared CA.

  • acm-pca:RevokeCertificate – Revoke a previously issued certificate.

You can create customer managed permissions that include any combination of these actions. For example, you can create a read-only permission that excludes IssueCertificate and RevokeCertificate, or a full-access permission that includes all seven actions.

For more information about creating customer managed permissions, see Creating customer managed permissions in the Amazon RAM User Guide.