IAM policy to issue certificate for a specific sub domain name

Question

I want to create IAM policy that allows the request of ACM certificate with only a specific sub domain

```
"Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "acm:RequestCertificate"
        ],
        "Resource": "*",  # ACM certificate resources typically use wildcards
        "Condition": {
          "StringLike": {
            "acm:DomainNames": ["*.abc.com"]  # Allow only subdomains of abc.com
          }
        }
      }
    ]

```

when I request a private certificate with domain name test.abc.com using a role with the policy above, I get error with no identity based policy allows the acm:RequestCertificate

Accepted Answer

Hi,

It looks like you may just be missing ` ForAllValues:` from your policy before the text `StringLike`.
Since DomainNames is a list input parameter, it will need that above prefix for multi-valued context keys as mentioned [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html#reference_policies_condition-multi-valued-context-keys)

Thanks

Answer

Hi,

To allow the request of an ACM certificate for a specific subdomain using an IAM policy, you need to ensure that the IAM entity (user or role) making the request has the necessary permissions. You only want to permit requests for certificates for the subdomain in this case. test.abc.com

Here IAM policy that allows requesting ACM certificates only for the test.abc.com subdomain.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "acm:RequestCertificate", 
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "acm:DomainValidationOptions[0].DomainName": "*.test.abc.com"
        }
      }
    }
  ]
}

Explanation:

Effect: Allow
Action: acm:RequestCertificate allows the entity to request certificates.
Resource: * allows the action on all ACM resources.
Condition: This condition limits the action to only certificates where the domain name matches *.test.abc.com. The DomainValidationOptions[0].DomainName condition key ensures that the certificate is requested for the specified domain.

Attach this policy to the IAM user or role that you are using to request the ACM certificate. In addition, ensure that the IAM entity has the necessary permissions to carry out the necessary actions.

Answer

To achieve your goal of allowing the request of ACM certificates only for a specific subdomain, you need to approach it differently. You can create a policy that allows requesting any certificate.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "acm:RequestCertificate",
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "acm:DomainValidationOptions[0].ResourceRecord.Name": "*.abc.com"
        }
      }
    }
  ]
}

Note
When you request a wild-card certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com, and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com).

The use of the acm:DomainValidationOptions[0].DomainName context key in the condition is related to multi-context keys because it's accessing a specific attribute (DomainName) within an array (DomainValidationOptions) within the ACM service.

IAM policy to issue certificate for a specific sub domain name

관련 콘텐츠