AWS acm medium security documentation change
Summary
Added IAM policy example to deny requesting exportable public certificates
Security assessment
Introduces security controls to prevent users from requesting exportable certificates, which could mitigate risks of unauthorized certificate duplication or misuse. Directly addresses certificate management security through policy enforcement.
Diff
diff --git a/acm/latest/userguide/security_iam_id-based-policy-examples.md b/acm/latest/userguide/security_iam_id-based-policy-examples.md index 9cf70bef5..2dbdbd297 100644 --- a//acm/latest/userguide/security_iam_id-based-policy-examples.md +++ b//acm/latest/userguide/security_iam_id-based-policy-examples.md @@ -5 +5 @@ -Policy best practicesUsing the consoleAllow users to view their own permissionsListing certificatesRetrieving a certificateImporting a certificateDeleting a certificate +Policy best practicesUsing the consoleAllow users to view their own permissionsListing certificatesRequest a certificateRetrieving a certificateImporting a certificateDeleting a certificate @@ -24,0 +25,2 @@ For details about actions and resource types defined by ACM, including the forma + * Request a certificate + @@ -118,0 +121,26 @@ This permission is required for ACM certificates to appear in the Elastic Load B +## Request a certificate + +The following policy denies a user from requesting ACM exportable public certificates. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyACMCertificateRequest", + "Effect": "Deny", + "Action": [ + "acm:RequestCertificate" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "acm:Export": "ENABLED" + } + } + } + ] + } +