AWS Certificate Manager (acm)

2026-07-01

23 new actions, 3 new resources, 1 new condition | 2 updated actions

Additions

    Actions
  • CreateAcmeDomainValidation
    • Description:  Grants permission to create an ACME domain validation
    • Access:  Write
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

      aws:RequestTag/${TagKey}

      aws:TagKeys

    • Dependents: 

      route53:ChangeResourceRecordSets

      route53:GetHostedZone

  • CreateAcmeEndpoint
    • Description:  Grants permission to create an ACME endpoint
    • Access:  Write
    • Conditions: 

      aws:RequestTag/${TagKey}

      aws:TagKeys

  • CreateAcmeExternalAccountBinding
    • Description:  Grants permission to create an ACME external account binding
    • Access:  Write
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

      aws:RequestTag/${TagKey}

      aws:TagKeys

    • Dependents: 

      iam:PassRole

  • DeleteAcmeDomainValidation
    • Description:  Grants permission to delete an ACME domain validation
    • Access:  Write
    • Resources: 

      Name: acme-domain-validation

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

    • Dependents: 

      route53:ChangeResourceRecordSets

      route53:GetChange

  • DeleteAcmeEndpoint
    • Description:  Grants permission to delete an ACME endpoint
    • Access:  Write
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • DeleteAcmeExternalAccountBinding
    • Description:  Grants permission to delete an ACME external account binding
    • Access:  Write
    • Resources: 

      Name: acme-external-account-binding

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • DescribeAcmeAccount
    • Description:  Grants permission to retrieve details of an ACME account
    • Access:  Read
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • DescribeAcmeDomainValidation
    • Description:  Grants permission to retrieve details of an ACME domain validation
    • Access:  Read
    • Resources: 

      Name: acme-domain-validation

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • DescribeAcmeEndpoint
    • Description:  Grants permission to retrieve details of an ACME endpoint
    • Access:  Read
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • DescribeAcmeExternalAccountBinding
    • Description:  Grants permission to retrieve details of an ACME external account binding
    • Access:  Read
    • Resources: 

      Name: acme-external-account-binding

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • GetAcmeExternalAccountBindingCredentials
    • Description:  Grants permission to retrieve credentials for an ACME external account binding
    • Access:  Read
    • Resources: 

      Name: acme-external-account-binding

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • ListAcmeAccounts
    • Description:  Grants permission to list ACME accounts
    • Access:  List
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • ListAcmeDomainValidations
    • Description:  Grants permission to list ACME domain validations
    • Access:  List
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • ListAcmeEndpoints
    • Description:  Grants permission to list ACME endpoints
    • Access:  List
  • ListAcmeExternalAccountBindings
    • Description:  Grants permission to list ACME external account bindings
    • Access:  List
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • ListTagsForResource
    • Description:  Grants permission to list tags for a resource
    • Access:  Read
    • Resources: 

      Name: acme-domain-validation

      Required: No

      Name: acme-endpoint

      Required: No

      Name: acme-external-account-binding

      Required: No

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • RevokeAcmeAccount
    • Description:  Grants permission to revoke an ACME account
    • Access:  Write
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • RevokeAcmeExternalAccountBinding
    • Description:  Grants permission to revoke an ACME external account binding
    • Access:  Write
    • Resources: 

      Name: acme-external-account-binding

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • TagResource
    • Description:  Grants permission to add tags to a resource
    • Access:  Tagging
    • Resources: 

      Name: acme-domain-validation

      Required: No

      Name: acme-endpoint

      Required: No

      Name: acme-external-account-binding

      Required: No

    • Conditions: 

      aws:ResourceTag/${TagKey}

      aws:RequestTag/${TagKey}

      aws:TagKeys

  • UntagResource
    • Description:  Grants permission to remove tags from a resource
    • Access:  Tagging
    • Resources: 

      Name: acme-domain-validation

      Required: No

      Name: acme-endpoint

      Required: No

      Name: acme-external-account-binding

      Required: No

    • Conditions: 

      aws:ResourceTag/${TagKey}

      aws:TagKeys

  • UpdateAcmeDomainValidation
    • Description:  Grants permission to update an ACME domain validation
    • Access:  Write
    • Resources: 

      Name: acme-domain-validation

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • UpdateAcmeEndpoint
    • Description:  Grants permission to update an ACME endpoint
    • Access:  Write
    • Resources: 

      Name: acme-endpoint

      Required: Yes

    • Conditions: 

      aws:ResourceTag/${TagKey}

  • UpdateCertificate
    • Description:  Grants permission to update a certificate
    • Access:  Write
    • Resources: 

      Name: certificate

      Required: Yes

    • Conditions: 

      acm:CertificateKeyPairOrigin

    Resources
  • acme-endpoint
    • Arn:  arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}
    • Conditions: 

      aws:ResourceTag/${TagKey}

  • acme-domain-validation
    • Arn:  arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}/acme-domain-validation/${AcmeDomainValidationId}
    • Conditions: 

      aws:ResourceTag/${TagKey}

  • acme-external-account-binding
    • Arn:  arn:${Partition}:acm:${Region}:${Account}:acme-endpoint/${AcmeEndpointId}/acme-external-account-binding/${ExternalAccountBindingId}
    • Conditions: 

      aws:ResourceTag/${TagKey}

    Conditions
  • acm:CertificateKeyPairOrigin
    • Description:  Filters access by certificateKeyPairOrigin in the request. Can be used to restrict which certificate provisioning paths are permitted
    • Type:  String

Updates