- Más nuevo
- Más votos
- Más comentarios
Hi Mohamed,
You can ACM certficates; fully detailled here https://docs.aws.amazon.com/acm/latest/userguide/tags.html
Then, you can use those tags to control acess to those certificates via IAM Policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
Best,
Didier
Hi Mohamed, check these steps to resolve issue:
IAM Policies with Resource ARNs
Create a Certificate Prefix:
Create a unique prefix (e.g., "user-created/") to prepend to all certificate names issued by this IAM user. IAM User Policy:
Define an IAM policy for the user that allows actions only on certificates with the specific prefix. Here's an example policy using the AssumeRoleOnly action for simplicity (adjust actions based on your needs):
JSON
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<account-id>:role/<role-name>" # Replace with your role ARN
],
"Condition": {
"StringLike": {
"aws:RequestPath": "/user/certs/user-created/*" # Matches certificates with the prefix
}
}
}
]
}
IAM Role Policy:
- Create a separate IAM role that allows certificate management actions (e.g., iam:GetCertificate, iam:ListCertificates).
- Attach this role policy to the role referenced in the user policy above.
- Ensure this role policy restricts access to certificates based on the prefix using the same StringLike condition on aws:RequestPath.
For more please follow the links to help you resolve issue
https://docs.aws.amazon.com/acm/latest/userguide/tags.html
https://docs.aws.amazon.com/acm/latest/userguide/security-iam-awsmanpol.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
Hello @Garre Sandeep, thanks for your help so you suggest to add the prefix to the name of certificate ? and regarding "aws:RequestPath" it should hold path to the certificate ?
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 7 meses
- OFICIAL DE AWSActualizada hace 2 años
If I already have a generated certificate attached to a thing can I use ACM to add tags ? or ACM certificates differ from actual certificates used by thing in my case ? Best Regards, Mohamed Smaili