AWS Security ChangesHomeSearch

AWS privateca documentation change

Service: privateca · 2026-04-04 · Documentation low

File: privateca/latest/userguide/pca-rbp.md

Summary

Updated resource-based policy documentation to emphasize customer managed permissions and template restriction via policy conditions

Security assessment

This change enhances security documentation by promoting customer managed permissions for least-privilege access and showing how to restrict certificate templates using policy conditions. It improves security guidance but doesn't address a specific security vulnerability.

Diff

diff --git a/privateca/latest/userguide/pca-rbp.md b/privateca/latest/userguide/pca-rbp.md
index 0d6b1e76a..89f64cb14 100644
--- a//privateca/latest/userguide/pca-rbp.md
+++ b//privateca/latest/userguide/pca-rbp.md
@@ -15,15 +15 @@ To view the list of AWS managed resource-based policies for AWS Private CA, navi
-AWS Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. Cross-account issuers are constrained by a resource-based policy and have access only to the following end-entity certificate templates:
-
-  * [EndEntityCertificate/V1](./template-definitions.html#EndEntityCertificate-V1)
-
-  * [EndEntityClientAuthCertificate/V1](./template-definitions.html#EndEntityClientAuthCertificate-V1)
-
-  * [EndEntityServerAuthCertificate/V1](./template-definitions.html#EndEntityServerAuthCertificate-V1)
-
-  * [BlankEndEntityCertificate_APIPassthrough/V1](./template-definitions.html#BlankEndEntityCertificate_APIPassthrough)
-
-  * [BlankEndEntityCertificate_APICSRPassthrough/V1](./template-definitions.html#BlankEndEntityCertificate_APICSRPassthrough)
-
-  * [SubordinateCACertificate_PathLen0/V1](./template-definitions.html#SubordinateCACertificate_PathLen0-V1)
-
-
+AWS Private CA also supports RAM customer managed permissions, which allow you to define a custom combination of actions from the following set: `DescribeCertificateAuthority`, `GetCertificate`, `GetCertificateAuthorityCertificate`, `ListPermissions`, `ListTags`, `IssueCertificate`, and `RevokeCertificate`. Customer managed permissions give you the flexibility to grant least-privilege access – for example, granting read-only access to some accounts while allowing others to issue and revoke certificates. For more information, see [Customer managed permissions in RAM](./pca-cmp.html).
@@ -30,0 +17 @@ AWS Certificate Manager (ACM) users with cross-account shared access to a privat
+AWS Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. When you grant permission to the `IssueCertificate` action, you can restrict the certificate templates used for certificate issuance by adding a `acm-pca:TemplateArn` Condition to the policy.
@@ -178 +165 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Cross-account access
+Customer managed permissions