AWS Certificate Manager (IAM)

aws security

AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates.

Common permissions

acm:ListCertificatesacm:DescribeCertificateacm:GetCertificateacm:ListTagsForCertificateacm:GetAccountConfigurationacm:UpdateCertificateOptions

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "acm:ListCertificates",
        "acm:DescribeCertificate",
        "acm:GetCertificate",
        "acm:ListTagsForCertificate",
        "acm:GetAccountConfiguration",
        "acm:UpdateCertificateOptions"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid acm:* — grants full control including certificate deletion
Avoid acm:DeleteCertificate — can break TLS/SSL for services using the certificate

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/acm/acm.json ↗

API

full doc /v1/iam/acm