AWS privateca documentation change
Summary
Updated cross-account revocation permissions documentation to recommend customer managed permissions approach and clarify AWS managed permissions approach
Security assessment
This change improves documentation about cross-account certificate revocation permissions, emphasizing the recommended customer managed permissions approach for better access control. It clarifies security best practices but doesn't indicate a specific security vulnerability was addressed.
Diff
diff --git a/privateca/latest/userguide/PcaRevokeCert.md b/privateca/latest/userguide/PcaRevokeCert.md index fa207cfa3..fecf15b51 100644 --- a//privateca/latest/userguide/PcaRevokeCert.md +++ b//privateca/latest/userguide/PcaRevokeCert.md @@ -19 +19,5 @@ Revoked certificates are always recorded in AWS Private CA audit reports. -For cross-account callers, a share with the `AWSRAMRevokeCertificateCertificateAuthority` permission is required. Revocation permissions are not included in `AWSRAMDefaultPermissionCertificateAuthority`. To enable revocation by cross-account issuers, the CA administrator must create two RAM shares, both pointing at the same CA: +For cross-account callers, revocation permissions are not included in `AWSRAMDefaultPermissionCertificateAuthority`. To enable revocation by cross-account issuers, the CA administrator can use either of the following approaches: + + * **Customer managed permission (recommended)** – Create a RAM customer managed permission that includes the `acm-pca:RevokeCertificate` action along with other required actions in a single resource share. For more information, see [Customer managed permissions in RAM](./pca-cmp.html). + + * **AWS managed permissions** – Create two RAM shares, both pointing at the same CA: