AWS Security ChangesHomeSearch

AWS privateca documentation change

Service: privateca · 2026-04-04 · Documentation low

File: privateca/latest/userguide/UsingTemplates.md

Summary

Replaced specific template list with guidance on using policy conditions to restrict certificate templates for cross-account issuers

Security assessment

This change updates documentation to show how to use policy conditions (acm-pca:TemplateArn) to restrict certificate templates, which is a security feature for implementing least-privilege access. It provides more flexible security controls but doesn't indicate a specific security issue was fixed.

Diff

diff --git a/privateca/latest/userguide/UsingTemplates.md b/privateca/latest/userguide/UsingTemplates.md
index 561926770..195964cfb 100644
--- a//privateca/latest/userguide/UsingTemplates.md
+++ b//privateca/latest/userguide/UsingTemplates.md
@@ -13,16 +13 @@ If you use the CLI or API to issue a certificate, you can supply a template ARN
-AWS Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. Cross-account issuers are constrained by a resource-based policy and have access only to the following end-entity certificate templates:
-
-  * [EndEntityCertificate/V1](./template-definitions.html#EndEntityCertificate-V1)
-
-  * [EndEntityClientAuthCertificate/V1](./template-definitions.html#EndEntityClientAuthCertificate-V1)
-
-  * [EndEntityServerAuthCertificate/V1](./template-definitions.html#EndEntityServerAuthCertificate-V1)
-
-  * [BlankEndEntityCertificate_APIPassthrough/V1](./template-definitions.html#BlankEndEntityCertificate_APIPassthrough)
-
-  * [BlankEndEntityCertificate_APICSRPassthrough/V1](./template-definitions.html#BlankEndEntityCertificate_APICSRPassthrough)
-
-  * [SubordinateCACertificate_PathLen0/V1](./template-definitions.html#SubordinateCACertificate_PathLen0-V1)
-
-
-
+AWS Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. When you grant permission to the `IssueCertificate` action, you can restrict the certificate templates used for certificate issuance by adding a `acm-pca:TemplateArn` Condition to the policy.