Actions, resources, and condition keys for Amazon Certificate Manager
Amazon Certificate Manager (service prefix: acm) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon Certificate Manager
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AddTagsToCertificate |
Tagging, Write |
|||
|
DeleteCertificate |
Write |
|||
|
DescribeCertificate |
Read |
|||
|
ExportCertificate |
Read |
|||
|
GetAccountConfiguration |
Read |
|||
|
GetCertificate |
Read |
|||
|
ImportCertificate |
Tagging, Write |
|||
Write |
||||
|
ListCertificates |
List |
|||
|
ListTagsForCertificate |
Read |
|||
|
ListTagsForResource |
Read |
|||
|
PutAccountConfiguration |
Write |
|||
|
RemoveTagsFromCertificate |
Tagging, Write |
|||
|
RenewCertificate |
Write |
|||
|
RequestCertificate |
Tagging, Write |
|||
Write |
||||
|
ResendValidationEmail |
Write |
|||
|
RevokeCertificate |
Write |
|||
|
SearchCertificates |
List |
|||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateCertificateOptions |
Write |
Actions defined by Amazon Certificate Manager
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to add one or more tags to a certificate |
Tagging, Write |
|||
Grants permission to create an ACME domain validation |
Write |
|||
Grants permission to create an ACME endpoint |
Write |
|||
Grants permission to create an ACME external account binding |
Write |
|||
Grants permission to delete an ACME domain validation |
Write |
|||
Grants permission to delete an ACME endpoint |
Write |
|||
Grants permission to delete an ACME external account binding |
Write |
|||
Grants permission to delete a certificate and its associated private key |
Write |
|||
Grants permission to retrieve details of an ACME account |
Read |
|||
Grants permission to retrieve details of an ACME domain validation |
Read |
|||
Grants permission to retrieve details of an ACME endpoint |
Read |
|||
Grants permission to retrieve details of an ACME external account binding |
Read |
|||
Grants permission to retreive a certificates and its metadata |
Read |
|||
Grants permission to export an exportable certificate for use anywhere |
Read |
|||
Grants permission to retrieve account level configuration from Amazon Certificate Manager |
Read |
|||
Grants permission to retrieve credentials for an ACME external account binding |
Read |
|||
Grants permission to retrieve a certificate and certificate chain for a certificate ARN |
Read |
|||
Grants permission to import a 3rd party certificate into Amazon Certificate Manager (ACM) |
Write |
|||
Grants permission to list ACME accounts |
List |
|||
Grants permission to list ACME domain validations |
List |
|||
Grants permission to list ACME endpoints |
List |
|||
Grants permission to list ACME external account bindings |
List |
|||
Grants permission to retrieve a list of certificates for specific certificate parameters |
List |
|||
Grants permission to lists the tags that have been associated with a certificate |
Read |
|||
Grants permission to list tags for a resource |
Read |
|||
Grants permission to update account level configuration in Amazon Certificate Manager |
Write |
|||
Grants permission to remove one or more tags from a certificate |
Tagging, Write |
|||
Grants permission to renew an eligible private certificate |
Write |
|||
Grants permission to requests a public or private certificate |
Write |
|||
Grants permission to resend an email to request domain ownership validation |
Write |
|||
Grants permission to revoke an ACME account |
Write |
|||
Grants permission to revoke an ACME external account binding |
Write |
|||
Grants permission to revoke an exportable certificate |
Write |
|||
Grants permission to retrieve a list of certificates matching search criteria |
List |
|||
Grants permission to add tags to a resource |
Tagging, Write |
|||
Grants permission to remove tags from a resource |
Tagging, Write |
|||
Grants permission to update an ACME domain validation |
Write |
|||
Grants permission to update an ACME endpoint |
Write |
|||
Grants permission to update a certificate |
Write |
|||
Grants permission to update a certificate configuration. Use this to specify whether to opt in to or out of certificate transparency logging |
Write |
Resource types defined by Amazon Certificate Manager
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}/acme-domain-validation/${AcmeDomainValidationId} |
||
arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId} |
||
arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}/acme-external-account-binding/${ExternalAccountBindingId} |
||
arn:${Partition}:acm:${Region}:${Account}:certificate/${CertificateId} |
Condition keys for Amazon Certificate Manager
Amazon Certificate Manager defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by certificateAuthority in the request. Can be used to restrict which Certificate Authorites certificates can be issued from |
String |
|
Filters access by certificateKeyPairOrigin in the request. Can be used to restrict which certificate provisioning paths are permitted |
String |
|
Filters access by certificateTransparencyLogging option in the request. Default 'ENABLED' if no key is present in the request |
String |
|
Filters access by domainNames in the request. This key can be used to restrict which domains can be in certificate requests |
ArrayOfString |
|
Filters access by the export option in the request. Can be used to restrict creation of certificates that can be exported |
String |
|
Filters access by keyAlgorithm in the request |
String |
|
Filters access by validationMethod in the request. Default 'EMAIL' if no key is present in the request |
String |
|
Filters access by the presence of tag key-value pairs in the request |
String |
|
Filters access by tag key-value pairs attached to the resource |
String |
|
Filters access by the presence of tag keys in the request |
ArrayOfString |