Minimum required permissions for AWS unified connectors
AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for AWS organization or account scope.
Organization scope
Make sure the AWS Account Management service is enabled for the AWS organization.
Create a user in the management account for the AWS organization, with the following permissions and inline custom policy.
Permissions
Permission | Purpose |
---|---|
| List all member accounts in the organization. |
| Access and manage certificates in AWS Certificate Manager (ACM). |
| Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
|
Inline custom policy
Create an inline custom policy as shown below to access the AWS organization's member accounts from the management account via a common IAM role.
For the <Common IAM role name>
parameter, provide the name of a common IAM role that provides access to ACM in all the member accounts. Use this same role name when configuring the AWS unified connector in DigiCert® Trust Lifecycle Manager.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "sts:GetSessionToken", "sts:AssumeRole", "sts:GetAccessKeyInfo" ], "Resource": [ "arn:aws:iam::*:role/<Common IAM role name>" ] } ] }
Notice
By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole
. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.
Account scope
Create an IAM user in the AWS account, with the following permissions.
Permission | Purpose |
---|---|
| Access and manage certificates in AWS Certificate Manager (ACM). |
| Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:
|