By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM policy to issue certificate for a specific sub domain name

0

I want to create IAM policy that allows the request of ACM certificate with only a specific sub domain

"Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "acm:RequestCertificate"
        ],
        "Resource": "*",  # ACM certificate resources typically use wildcards
        "Condition": {
          "StringLike": {
            "acm:DomainNames": ["*.abc.com"]  # Allow only subdomains of abc.com
          }
        }
      }
    ]

when I request a private certificate with domain name test.abc.com using a role with the policy above, I get error with no identity based policy allows the acm:RequestCertificate

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS Certificate Manager
Language
English
Youez
asked 11 days ago125 views
3 Answers
3

Hi,

To allow the request of an ACM certificate for a specific subdomain using an IAM policy, you need to ensure that the IAM entity (user or role) making the request has the necessary permissions. You only want to permit requests for certificates for the subdomain in this case. test.abc.com

Here IAM policy that allows requesting ACM certificates only for the test.abc.com subdomain.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "acm:RequestCertificate", "Resource": "", "Condition": { "StringLike": { "acm:DomainValidationOptions[0].DomainName": ".test.abc.com" } } } ] }

Explanation:

Effect: Allow Action: acm:RequestCertificate allows the entity to request certificates. Resource: * allows the action on all ACM resources. Condition: This condition limits the action to only certificates where the domain name matches *.test.abc.com. The DomainValidationOptions[0].DomainName condition key ensures that the certificate is requested for the specified domain.

Attach this policy to the IAM user or role that you are using to request the ACM certificate. In addition, ensure that the IAM entity has the necessary permissions to carry out the necessary actions.

Parthasaradi
answered 11 days ago
2
Accepted Answer

Hi,

It looks like you may just be missing ForAllValues: from your policy before the text StringLike. Since DomainNames is a list input parameter, it will need that above prefix for multi-valued context keys as mentioned here

Thanks

profile pictureAWS
EXPERT
AWS-SUM
answered 11 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 11 days ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 11 days ago
  • Youez
    11 days ago

    You are right thanks

  • AWS-SUM EXPERT
    11 days ago

    most welcome.

1

To achieve your goal of allowing the request of ACM certificates only for a specific subdomain, you need to approach it differently. You can create a policy that allows requesting any certificate.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "acm:RequestCertificate", "Resource": "", "Condition": { "StringLike": { "acm:DomainValidationOptions[0].ResourceRecord.Name": ".abc.com" } } } ] }

Note When you request a wild-card certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com, and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com).

The use of the acm:DomainValidationOptions[0].DomainName context key in the condition is related to multi-context keys because it's accessing a specific attribute (DomainName) within an array (DomainValidationOptions) within the ACM service.

sandeep
answered 11 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content