Customer managed permissions in RAM

In addition to the AWS managed permissions available in RAM, AWS Private CA supports RAM customer managed permissions (CMP). Customer managed permissions allow CA owners to define a custom set of actions that cross-account principals can perform on a shared CA, providing finer-grained access control than the default AWS managed permissions.

The following actions are available for customer managed permissions on the acm-pca:certificate-authority resource type:

Read actions

acm-pca:DescribeCertificateAuthority – View CA configuration and status.
acm-pca:GetCertificate – Retrieve an issued certificate.
acm-pca:GetCertificateAuthorityCertificate – Retrieve the CA certificate and certificate chain.
acm-pca:ListPermissions – List permissions assigned to the CA.
acm-pca:ListTags – List tags associated with the CA.

Write actions

acm-pca:IssueCertificate – Issue a certificate from the shared CA.
acm-pca:RevokeCertificate – Revoke a previously issued certificate.

You can create customer managed permissions that include any combination of these actions. For example, you can create a read-only permission that excludes IssueCertificate and RevokeCertificate, or a full-access permission that includes all seven actions.

For more information about creating customer managed permissions, see Creating customer managed permissions in the AWS RAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cross-account access

Resource-based policies