AWS Private CA now supports customer managed permissions for cross-account sharing
AWS Private Certificate Authority (AWS Private CA) now supports customer managed permissions in AWS Resource Access Manager (AWS RAM). AWS Private CA lets you share certificate authorities (CAs) across accounts using AWS RAM so you can centralize your PKI instead of creating separate CAs in every account. With customer managed permissions, you can now select exactly which AWS Private CA API operations to allow when sharing a CA, granting only the specific operations each consuming account needs.
Previously, you could only use AWS managed permissions, which provide predefined sets of actions and restrict cross-account issuers to specific certificate templates. Now you can select from read operations (e.g., DescribeCertificateAuthority, GetCertificate, and GetCertificateAuthorityCertificate) and write operations (e.g., IssueCertificate and RevokeCertificate) to tailor access for each consuming account or organizational unit. With customer managed permissions, cross-account issuers are not restricted to a specific certificate template.
Customer managed permissions for AWS Private CA are available in all AWS Regions where AWS Private CA and AWS RAM are available. To learn more, see Customer managed permissions in RAM in the AWS Private CA User Guide and Creating and using customer managed permissions in the AWS RAM User Guide.