# Identity and Access Management (IAM) for AWS Private Certificate Authority
Access to AWS Private CA requires credentials that AWS can use to authenticate your requests. The following topics provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) to help secure your private certificate authorities (CAs) by controlling who can access them.
In AWS Private CA, the primary resource that you work with is a *certificate authority (CA)*. Every private CA that you own or control is identified by an Amazon Resource Name (ARN), which has the following form.
```
arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566
```
A *resource owner* is the *principal entity* of the AWS account in which an AWS resource is created. The following examples illustrate how this works.
+ If you use the credentials of your AWS account root user to create a private CA, your AWS account owns the CA.
**Important**
We do not advise using an AWS account root user to create CAs.
We strongly recommend the use of multi-factor authentication (MFA) any time you access AWS Private CA.
+ If you create an IAM user in your AWS account, you can grant that user permission to create a private CA. However, the account to which that user belongs owns the CA.
+ If you create an IAM role in your AWS account and grant it permission to create a private CA, anyone who can assume the role can create the CA. However, the account to which the role belongs will own the private CA.
A *permissions policy* describes who has access to what. The following discussion explains the available options for creating permissions policies.
**Note**
This documentation discusses using IAM in the context of AWS Private CA. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html). For information about IAM policy syntax and descriptions, see [AWS IAM Policy Reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html).
# AWS Private CA API operations and permissions
When you set up access control and permissions policies that you plan to attach to an IAM identity (identity-based policies), use the following table as a reference. The first column in the table lists each AWS Private CA API operation. You specify actions in a policy's `Action` element. The remaining columns provide the additional information.
| AWS Private CA API operations | Required permissions | Resources |
| --- | --- | --- |
| [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) | `acm-pca:CreateCertificateAuthority` `acm-pca:TagCertificateAuthority` (Only required when creating a CA with tags.) | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [CreateCertificateAuthorityAuditReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html) | `acm-pca:CreateCertificateAuthorityAuditReport` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [CreatePermission](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreatePermission.html) | acm-pca:CreatePermission | arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 |
| [DeleteCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthority.html) | `acm-pca:DeleteCertificateAuthority` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [DeletePermission](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePermission.html) | acm-pca:DeletePermission | arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 |
| [DeletePolicy](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePolicy.html) | acm-pca:DeletePolicy | arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 |
| [DescribeCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthority.html) | `acm-pca:DescribeCertificateAuthority` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [DescribeCertificateAuthorityAuditReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthorityAuditReport.html) | `acm-pca:DescribeCertificateAuthorityAuditReport` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html) | `acm-pca:GetCertificate` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html) | `acm-pca:GetCertificateAuthorityCertificate` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html) | `acm-pca:GetCertificateAuthorityCsr` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [GetPolicy](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetPolicy.html) | acm-pca:GetPolicy | arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 |
| [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html) | `acm-pca:ImportCertificateAuthorityCertificate` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) | `acm-pca:IssueCertificate` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [ListCertificateAuthorities](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html) | `acm-pca:ListCertificateAuthorities` | N/A |
| [ListPermissions](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html) | acm-pca:ListPermissions | arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 |
| [ListTags](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListTags.html) | `acm-pca:ListTags` | N/A |
| [PutPolicy](https://docs.aws.amazon.com/privateca/latest/APIReference/API_PutPolicy.html) | acm-pca:PutPolicy | arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 |
| [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) | `acm-pca:RevokeCertificate` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [TagCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html) | `acm-pca:TagCertificateAuthority` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [UntagCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html) | `acm-pca:UntagCertificateAuthority` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
| [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html) | `acm-pca:UpdateCertificateAuthority` | `arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566` |
To provide access, add permissions to your users, groups, or roles:
+ Users and groups in AWS IAM Identity Center:
Create a permission set. Follow the instructions in [Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/howtocreatepermissionset.html) in the *AWS IAM Identity Center User Guide*.
+ Users managed in IAM through an identity provider:
Create a role for identity federation. Follow the instructions in [Create a role for a third-party identity provider (federation)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-idp.html) in the *IAM User Guide*.
+ IAM users:
+ Create a role that your user can assume. Follow the instructions in [Create a role for an IAM user](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-user.html) in the *IAM User Guide*.
+ (Not recommended) Attach a policy directly to a user or add a user to a user group. Follow the instructions in [Adding permissions to a user (console)](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-add-console) in the *IAM User Guide*.
# AWS managed policies
AWS Private CA includes a set of predefined AWS managed policies for AWS Private CA administrators, users, and auditors. Understanding these policies can help you implement [Customer managed policies](auth-CustManagedPolicies.md).
Choose any of the policies listed below to see details and sample policy code.
## AWSPrivateCAFullAccess
Grants unrestricted administrative control.
For a JSON listing of the policy details, see [AWSPrivateCAFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAFullAccess.html).
## AWSPrivateCAReadOnly
Grants access limited to read-only API operations.
For a JSON listing of the policy details, see [AWSPrivateCAReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAReadOnly.html).
## AWSPrivateCAPrivilegedUser
Grants ability to issue and revoke CA certificates. This policy has no other administrative capabilities and no ability to issue end-entity certificates. Permissions are mutually exclusive with the **User** policy.
For a JSON listing of the policy details, see [AWSPrivateCAPrivilegedUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAPrivilegedUser.html).
## AWSPrivateCAUser
Grant ability to issue and revoke end-entity certificates. This policy has no administrative capabilities and no ability to issue CA certificates. Permissions are mutually exclusive with the **PrivilegedUser** policy.
For a JSON listing of the policy details, see [AWSPrivateCAUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAUser.html).
## AWSPrivateCAAuditor
Grant access to read-only API operations and permission to generate a CA audit report.
For a JSON listing of the policy details, see [AWSPrivateCAAuditor](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAAuditor.html).
## AWSPrivateCAConnectorForKubernetesPolicy
Grants essential permissions for the AWS Private CA Connector for Kubernetes.
For a JSON listing of the policy details, see [AWSPrivateCAConnectorForKubernetesPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAConnectorForKubernetesPolicy.html).
## Updates to AWS managed policies for AWS Private CA
In the following table, view details about updates to AWS managed policies for AWS Private CA since the service began tracking these changes. For automatic alerts about all changes to AWS Private CA, subscribe to the RSS feed on the [Document History](dochistory.md) page.
**Managed policy changes**
| Change | Description | Date |
| --- | --- | --- |
| New Policy: AWSPrivateCAConnectorForKubernetesPolicy | New managed policy introduced for use with AWS Private CA Connector for Kubernetes. | May 19, 2025 |
| AWSPrivateCAPrivilegedUser and AWSPrivateCAUser - Updated policy | Replaced `StringLike` with `ArnLike`, and `StringNotLike` with `ArnNotLike`. Updated template arn to include wild cards `arn:aws:acm-pca:::template` to `arn:aws:acm-pca:*:*:template`. | January 22, 2025 |
| New policy names: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/privateca/latest/userguide/auth-AwsManagedPolicies.html) | Policy name prefixes were changed from `AWSCertificateManagerPrivateCA` to `AWSPrivateCA`. Functionality remains unchanged. | February 13, 2023 |
# Customer managed policies
As a best practice, don't use your AWS account root user to interact with AWS, including AWS Private CA. Instead use AWS Identity and Access Management (IAM) to create an IAM user, IAM role, or federated user. Create an administrator group and add yourself to it. Then log in as an administrator. Add additional users to the group as needed.
Another best practice is to create a customer managed IAM policy that you can assign to users. Customer managed policies are standalone identity-based policies that you create and which you can attach to multiple users, groups, or roles in your AWS account. Such a policy restricts users to performing only the AWS Private CA actions that you specify.
The following example [customer-managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) allows a user to create a CA audit report. This is an example only. You can choose any AWS Private CA operations that you want. For more examples, see [Inline policies](auth-InlinePolicies.md).
**To create a customer managed policy**
1. Sign in to the IAM console using the credentials of an AWS administrator.
1. In the navigation pane of the console, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab.
1. Copy the following policy and paste it into the editor.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"acm-pca:CreateCertificateAuthorityAuditReport",
"Resource":"*"
}
]
}
```
------
1. Choose **Review policy**.
1. For **Name**, type `PcaListPolicy`.
1. (Optional) Type a description.
1. Choose **Create policy**.
An administrator can attach the policy to any IAM user to limit what AWS Private CA actions the user can perform. For ways to apply a permissions policy, see [Changing Permissions for an IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html) in the *IAM User Guide*.
# Inline policies
Inline policies are policies that you create and manage and embed directly into a user, group, or role. The following policy examples show how to assign permissions to perform AWS Private CA actions. For general information about inline policies, see [Working with Inline Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies) in the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/). You can use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the IAM API to create and embed inline policies.
**Important**
We strongly recommend the use of multi-factor authentication (MFA) any time you access AWS Private CA.
**Topics**
+ [
## Listing private CAs
](#policy-list-pcas)
+ [
## Retrieving a private CA certificate
](#policy-retrieve-pca)
+ [
## Importing a private CA certificate
](#policy-import-pca-cert)
+ [
## Deleting a private CA
](#policy-delete-pca)
+ [
## Tag-on-create: Attaching tags to a CA at the time of creation
](#tag-on-create)
+ [
## Tag-on-create: Restricted tagging
](#tag-on-create-restricted1)
+ [
## Controlling access to Private CA using tags
](#tag-on-create-restricted2)
+ [
## Read-only access to AWS Private CA
](#policy-pca-read-only)
+ [
## Full access to AWS Private CA
](#policy-pca-full-access)
## Listing private CAs
The following policy allows a user to list all of the private CAs in an account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"acm-pca:ListCertificateAuthorities",
"Resource":"*"
}
]
}
```
------
## Retrieving a private CA certificate
The following policy allows a user to retrieve a specific private CA certificate.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"acm-pca:GetCertificateAuthorityCertificate",
"Resource":"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID"
}
}
```
------
## Importing a private CA certificate
The following policy allows a user to import a private CA certificate.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"acm-pca:ImportCertificateAuthorityCertificate",
"Resource":"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID"
}
}
```
------
## Deleting a private CA
The following policy allows a user to delete a specific private CA.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":"acm-pca:DeleteCertificateAuthority",
"Resource":"arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID" }
}
```
------
## Tag-on-create: Attaching tags to a CA at the time of creation
The following policy allows a user to apply tags during CA creation.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"acm-pca:CreateCertificateAuthority",
"acm-pca:TagCertificateAuthority"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
## Tag-on-create: Restricted tagging
The following tag-on-create policy *prevents* use of the key-value pair Environment=Prod during CA creation. Tagging with other key-value pairs is allowed.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"acm-pca:*",
"Resource":"*"
},
{
"Effect":"Deny",
"Action":"acm-pca:TagCertificateAuthority",
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/Environment":[
"Prod"
]
}
}
}
]
}
```
------
## Controlling access to Private CA using tags
The following policy allows access only to CAs with the key-value pair Environment=PreProd. It also requires that new CAs include this tag.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"acm-pca:*"
],
"Resource":"*",
"Condition":{
"StringEquals":{
"aws:ResourceTag/Environment":[
"PreProd"
]
}
}
}
]
}
```
------
## Read-only access to AWS Private CA
The following policy allows a user to describe and list private certificate authorities and to retrieve the private CA certificate and certificate chain.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":{
"Effect":"Allow",
"Action":[
"acm-pca:DescribeCertificateAuthority",
"acm-pca:DescribeCertificateAuthorityAuditReport",
"acm-pca:ListCertificateAuthorities",
"acm-pca:ListTags",
"acm-pca:GetCertificateAuthorityCertificate",
"acm-pca:GetCertificateAuthorityCsr",
"acm-pca:GetCertificate"
],
"Resource":"*"
}
}
```
------
## Full access to AWS Private CA
The following policy allows a user to perform any AWS Private CA action.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"acm-pca:*"
],
"Resource":"*"
}
]
}
```
------