Skip to main content

Minimum required permissions for AWS unified connectors

AWS unified connectors require credentials for an AWS user with the following permissions, depending on whether the connector is configured for AWS organization or account scope.

Organization scope

Make sure the AWS Account Management service is enabled for the AWS organization.

Create a user in the management account for the AWS organization, with the following permissions and inline custom policy.

Permissions

Permission

Purpose

AWSOrganizationsReadOnlyAccess

List all member accounts in the organization.

AWSCertificateManagerFullAccess

Access and manage certificates in AWS Certificate Manager (ACM).

SecretsManagerReadWrite

Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:

  • This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.

  • Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.

Inline custom policy

Create an inline custom policy as shown below to access the AWS organization's member accounts from the management account via a common IAM role.

For the <Common IAM role name> parameter, provide the name of a common IAM role that provides access to ACM in all the member accounts. Use this same role name when configuring the AWS unified connector in DigiCert​​®​​ Trust Lifecycle Manager.

{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "sts:GetSessionToken",
               "sts:AssumeRole",
               "sts:GetAccessKeyInfo"
            ],
            "Resource": [
               "arn:aws:iam::*:role/<Common IAM role name>"
            ]
       }
   ]
}

Aviso

By default, all member accounts in an AWS organization have a common IAM role named OrganizationAccountAccessRole. You can use this default IAM role to set up the integration, or you can create a custom IAM role and apply it to all the member accounts.

Account scope

Create an IAM user in the AWS account, with the following permissions.

Permission

Purpose

AWSCertificateManagerFullAccess

Access and manage certificates in AWS Certificate Manager (ACM).

SecretsManagerReadWrite

Temporarily store private keys in AWS Secrets Manager before delivering issued certificates and their private keys to ACM. Note that:

  • This permission is optional. If omitted, the managing DigiCert sensor is used for temporary key storage instead of AWS Secrets Manager.

  • Temporary keys get automatically deleted once certificates are issued and delivered to ACM along with their private keys.