AWS privateca medium security documentation change
Summary
Modified IAM policy examples to use certificate authority ARNs without certificate-specific paths
Security assessment
Corrects IAM resource ARNs to scope permissions at the CA level rather than individual certificates. This prevents potential over-permission issues where policies might inadvertently grant certificate-level access when CA-level was intended, improving least-privilege adherence.
Diff
diff --git a/privateca/latest/userguide/pca-rbp.md b/privateca/latest/userguide/pca-rbp.md index 0843835cc..62e570081 100644 --- a//privateca/latest/userguide/pca-rbp.md +++ b//privateca/latest/userguide/pca-rbp.md @@ -83 +83 @@ JSON - "Resource": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID" + "Resource": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID" @@ -94 +94 @@ JSON - "Resource": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID/certificate/certificate_ID", + "Resource": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/CA_ID",