AWS acm documentation change
Summary
Added new 'acm:CertificateKeyPairOrigin' condition key and usage example
Security assessment
The change documents a new IAM condition key for granular access control based on certificate origin (AWS/ACME/Customer), enabling better security policies but not fixing existing vulnerabilities.
Diff
diff --git a/acm/latest/userguide/acm-conditions.md b/acm/latest/userguide/acm-conditions.md index f457412cc..8daeffe3b 100644 --- a//acm/latest/userguide/acm-conditions.md +++ b//acm/latest/userguide/acm-conditions.md @@ -7 +7 @@ -Supported conditions for ACMExample 1: Restricting validation methodExample 2: Preventing wildcard domainsExample 3: Restricting certificate domainsExample 4: Restricting key algorithmExample 5: Restricting certificate authority +Supported conditions for ACMExample 1: Restricting validation methodExample 2: Preventing wildcard domainsExample 3: Restricting certificate domainsExample 4: Restricting key algorithmExample 5: Restricting certificate authorityExample 6: Restricting actions by certificate key pair origin @@ -27,0 +28 @@ ACM API operations and supported conditions Condition Key | Supported ACM API Op +`acm:CertificateKeyPairOrigin` | [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html), [AddTagsToCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_AddTagsToCertificate.html), [RevokeCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RevokeCertificate.html) | String (`AWS_MANAGED`, `ACME`, `CUSTOMER_PROVIDED`) | Filter requests based on the certificate's key pair origin. For `RequestCertificate`, the value is always `AWS_MANAGED`. When requesting certificates through an ACME client, the value is `ACME`. For `AddTagsToCertificate` and `RevokeCertificate`, the value is read from the existing certificate. @@ -243,0 +245,21 @@ JSON +## Example 6: Restricting actions by certificate key pair origin + +The following policy allows tagging only on ACME certificates. This is useful when you want to restrict tagging operations to certificates issued through the ACME protocol. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "acm:AddTagsToCertificate", + "Resource": "*", + "Condition": { + "StringEquals": { + "acm:CertificateKeyPairOrigin": "ACME" + } + } + } + ] + } +