AWS Security ChangesHomeSearch

AWS privateca documentation change

Service: privateca · 2026-04-04 · Documentation low

File: privateca/latest/userguide/PcaRevokeCert.md

Summary

Updated cross-account revocation permissions documentation to recommend customer managed permissions approach and clarify AWS managed permissions approach

Security assessment

This change improves documentation about cross-account certificate revocation permissions, emphasizing the recommended customer managed permissions approach for better access control. It clarifies security best practices but doesn't indicate a specific security vulnerability was addressed.

Diff

diff --git a/privateca/latest/userguide/PcaRevokeCert.md b/privateca/latest/userguide/PcaRevokeCert.md
index fa207cfa3..fecf15b51 100644
--- a//privateca/latest/userguide/PcaRevokeCert.md
+++ b//privateca/latest/userguide/PcaRevokeCert.md
@@ -19 +19,5 @@ Revoked certificates are always recorded in AWS Private CA audit reports.
-For cross-account callers, a share with the `AWSRAMRevokeCertificateCertificateAuthority` permission is required. Revocation permissions are not included in `AWSRAMDefaultPermissionCertificateAuthority`. To enable revocation by cross-account issuers, the CA administrator must create two RAM shares, both pointing at the same CA:
+For cross-account callers, revocation permissions are not included in `AWSRAMDefaultPermissionCertificateAuthority`. To enable revocation by cross-account issuers, the CA administrator can use either of the following approaches:
+
+  * **Customer managed permission (recommended)** – Create a RAM customer managed permission that includes the `acm-pca:RevokeCertificate` action along with other required actions in a single resource share. For more information, see [Customer managed permissions in RAM](./pca-cmp.html).
+
+  * **AWS managed permissions** – Create two RAM shares, both pointing at the same CA: