AWS Security ChangesHomeSearch

AWS privateca documentation change

Service: privateca · 2025-06-28 · Documentation low

File: privateca/latest/userguide/auth-AwsManagedPolicies.md

Summary

Replaced inline JSON policy definitions with links to AWS managed policy references

Security assessment

The change removes verbose inline IAM policy JSON in favor of referencing managed policies. While this improves maintainability, there is no evidence it addresses a specific security vulnerability or adds new security documentation.

Diff

diff --git a/privateca/latest/userguide/auth-AwsManagedPolicies.md b/privateca/latest/userguide/auth-AwsManagedPolicies.md
index 7c249c256..328ca10bc 100644
--- a//privateca/latest/userguide/auth-AwsManagedPolicies.md
+++ b//privateca/latest/userguide/auth-AwsManagedPolicies.md
@@ -15,13 +15 @@ Grants unrestricted administrative control.
-    
-    {
-       "Version":"2012-10-17",
-       "Statement":[
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:*"
-             ],
-             "Resource":"*"
-          }
-       ]
-    }
+For a JSON listing of the policy details, see [AWSPrivateCAFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAFullAccess.html).
@@ -31,19 +19 @@ Grants access limited to read-only API operations.
-    
-    {
-       "Version":"2012-10-17",
-       "Statement":{
-          "Effect":"Allow",
-          "Action":[
-             "acm-pca:DescribeCertificateAuthority",
-             "acm-pca:DescribeCertificateAuthorityAuditReport",
-             "acm-pca:ListCertificateAuthorities",
-             "acm-pca:GetCertificateAuthorityCsr",
-             "acm-pca:GetCertificateAuthorityCertificate",
-             "acm-pca:GetCertificate",
-             "acm-pca:GetPolicy",
-             "acm-pca:ListPermissions",
-             "acm-pca:ListTags"
-          ],
-          "Resource":"*"
-       }
-    }
+For a JSON listing of the policy details, see [AWSPrivateCAReadOnly](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAReadOnly.html).
@@ -53,50 +23 @@ Grants ability to issue and revoke CA certificates. This policy has no other adm
-    
-    {
-       "Version":"2012-10-17",
-       "Statement":[
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:IssueCertificate"
-             ],
-             "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*",
-             "Condition":{
-                "ArnLike":{
-                   "acm-pca:TemplateArn":[
-                      "arn:aws:acm-pca:*:*:template/*CACertificate*/V*"
-                   ]
-                }
-             }
-          },
-          {
-             "Effect":"Deny",
-             "Action":[
-                "acm-pca:IssueCertificate"
-             ],
-             "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*",
-             "Condition":{
-                "ArnNotLike":{
-                   "acm-pca:TemplateArn":[
-                      "arn:aws:acm-pca:*:*:template/*CACertificate*/V*"
-                   ]
-                }
-             }
-          },
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:RevokeCertificate",
-                "acm-pca:GetCertificate",
-                "acm-pca:ListPermissions"
-             ],
-             "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*"
-          },
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:ListCertificateAuthorities"
-             ],
-             "Resource":"*"
-          }
-       ]
-    }
+For a JSON listing of the policy details, see [AWSPrivateCAPrivilegedUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAPrivilegedUser.html).
@@ -106,50 +27 @@ Grant ability to issue and revoke end-entity certificates. This policy has no ad
-    
-    {
-       "Version":"2012-10-17",
-       "Statement":[
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:IssueCertificate"
-             ],
-             "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*",
-             "Condition":{
-                "ArnLike":{
-                   "acm-pca:TemplateArn":[
-                      "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*"
-                   ]
-                }
-             }
-          },
-          {
-             "Effect":"Deny",
-             "Action":[
-                "acm-pca:IssueCertificate"
-             ],
-             "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*",
-             "Condition":{
-                "ArnNotLike":{
-                   "acm-pca:TemplateArn":[
-                      "arn:aws:acm-pca:*:*:template/EndEntityCertificate/V*"
-                   ]
-                }
-             }
-          },
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:RevokeCertificate",
-                "acm-pca:GetCertificate",
-                "acm-pca:ListPermissions"
-             ],
-             "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*"
-          },
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:ListCertificateAuthorities"
-             ],
-             "Resource":"*"
-          }
-       ]
-    }
+For a JSON listing of the policy details, see [AWSPrivateCAUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAUser.html).
@@ -159,28 +31 @@ Grant access to read-only API operations and permission to generate a CA audit r
-    
-    {
-       "Version":"2012-10-17",
-       "Statement":[
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:CreateCertificateAuthorityAuditReport",
-                "acm-pca:DescribeCertificateAuthority",
-                "acm-pca:DescribeCertificateAuthorityAuditReport",
-                "acm-pca:GetCertificateAuthorityCsr",
-                "acm-pca:GetCertificateAuthorityCertificate",
-                "acm-pca:GetCertificate",
-                "acm-pca:GetPolicy",
-                "acm-pca:ListPermissions",
-                "acm-pca:ListTags"
-             ],
-             "Resource":"arn:aws:acm-pca:*:*:certificate-authority/*"
-          },
-          {
-             "Effect":"Allow",
-             "Action":[
-                "acm-pca:ListCertificateAuthorities"
-             ],
-             "Resource":"*"
-          }
-       ]
-    }
+For a JSON listing of the policy details, see [AWSPrivateCAAuditor](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAAuditor.html).
@@ -190,15 +35 @@ Grants essential permissions for the AWS Private CA Connector for Kubernetes.
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "acm-pca:DescribeCertificateAuthority",
-                    "acm-pca:GetCertificate",
-                    "acm-pca:IssueCertificate"
-                ],
-                "Resource": "arn:aws:acm-pca:*:*:certificate-authority/*"
-            }
-        ]
-    }
+For a JSON listing of the policy details, see [AWSPrivateCAConnectorForKubernetesPolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSPrivateCAConnectorForKubernetesPolicy.html).