AWS privateca documentation change
Summary
Updated resource-based policy documentation to emphasize customer managed permissions and template restriction via policy conditions
Security assessment
This change enhances security documentation by promoting customer managed permissions for least-privilege access and showing how to restrict certificate templates using policy conditions. It improves security guidance but doesn't address a specific security vulnerability.
Diff
diff --git a/privateca/latest/userguide/pca-rbp.md b/privateca/latest/userguide/pca-rbp.md index 0d6b1e76a..89f64cb14 100644 --- a//privateca/latest/userguide/pca-rbp.md +++ b//privateca/latest/userguide/pca-rbp.md @@ -15,15 +15 @@ To view the list of AWS managed resource-based policies for AWS Private CA, navi -AWS Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. Cross-account issuers are constrained by a resource-based policy and have access only to the following end-entity certificate templates: - - * [EndEntityCertificate/V1](./template-definitions.html#EndEntityCertificate-V1) - - * [EndEntityClientAuthCertificate/V1](./template-definitions.html#EndEntityClientAuthCertificate-V1) - - * [EndEntityServerAuthCertificate/V1](./template-definitions.html#EndEntityServerAuthCertificate-V1) - - * [BlankEndEntityCertificate_APIPassthrough/V1](./template-definitions.html#BlankEndEntityCertificate_APIPassthrough) - - * [BlankEndEntityCertificate_APICSRPassthrough/V1](./template-definitions.html#BlankEndEntityCertificate_APICSRPassthrough) - - * [SubordinateCACertificate_PathLen0/V1](./template-definitions.html#SubordinateCACertificate_PathLen0-V1) - - +AWS Private CA also supports RAM customer managed permissions, which allow you to define a custom combination of actions from the following set: `DescribeCertificateAuthority`, `GetCertificate`, `GetCertificateAuthorityCertificate`, `ListPermissions`, `ListTags`, `IssueCertificate`, and `RevokeCertificate`. Customer managed permissions give you the flexibility to grant least-privilege access – for example, granting read-only access to some accounts while allowing others to issue and revoke certificates. For more information, see [Customer managed permissions in RAM](./pca-cmp.html). @@ -30,0 +17 @@ AWS Certificate Manager (ACM) users with cross-account shared access to a privat +AWS Certificate Manager (ACM) users with cross-account shared access to a private CA can issue managed certificates that are signed by the CA. When you grant permission to the `IssueCertificate` action, you can restrict the certificate templates used for certificate issuance by adding a `acm-pca:TemplateArn` Condition to the policy. @@ -178 +165 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Cross-account access +Customer managed permissions