Skip to main content

Granular permissions for AWS connectors

For ease of setup and maintenance, DigiCert recommends using AWS-managed permissions to configure access for AWS unified connectors. For details, see AWS Certificate Manager(ACM).

As an alternative, you can use granular AWS permissions. The required permissions depend on the scope of the connector (organization or account scope).

Required permissions

To use the management account to authenticate an AWS unified connector with organization scope, using granular permissions:

  1. Make sure the AWS Account Management service is enabled for the AWS organization.

  2. Create a user in the management account for the AWS organization, and apply a custom policy with the following permissions:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Statement1",
                "Effect": "Allow",
                "Action": [
                    "organizations:ListAccounts",
                    "organizations:ListAccountsForParent",
                    "organizations:ListChildren",
                    "organizations:ListParents",
                    "organizations:ListOrganizationalUnitsForParent",
                    "organizations:ListRoots",
                    "organizations:DescribeAccount",
                    "organizations:DescribeOrganization",
                    "organizations:DescribeOrganizationalUnit",
                    "account:ListRegions",
                    "acm:ListCertificates",
                    "acm:DescribeCertificate",
                    "acm:GetCertificate",
                    "acm:ListTagsForCertificate",
                    "acm:ImportCertificate",
                    "acm:AddTagsToCertificate",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:ModifyLoadBalancerAttributes",
                    "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
                    "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                    "elasticloadbalancing:DescribeListenerAttributes",
                    "elasticloadbalancing:DescribeListenerCertificates",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:DescribeSSLPolicies",
                    "elasticloadbalancing:AddListenerCertificates",
                    "elasticloadbalancing:ModifyListener",
                    "elasticloadbalancing:ModifyListenerAttributes",
                    "elasticloadbalancing:RemoveListenerCertificates",
                    "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                    "elasticloadbalancing:DescribeAccountLimits",
                    "cloudfront:ListDistributions",
    		"cloudfront:GetDistribution",
    		"cloudfront:UpdateDistribution",
                    "iam:ListServerCertificates",
                    "iam:ListServerCertificateTags",
                    "iam:ListSigningCertificates",
                    "iam:GetServerCertificate",
                    "secretsmanager:ListSecrets",
                    "secretsmanager:GetSecretValue",
                    "secretsmanager:ListSecretVersionIds",
                    "secretsmanager:DeleteSecret",
                    "secretsmanager:CreateSecret",
                    "secretsmanager:PutSecretValue",
                    "sts:AssumeRole",
                    "sts:GetSessionToken",
                    "sts:GetAccessKeyInfo"
                ],
                "Resource": [
                    "*"
                ]
            }
        ]
    }
  3. Create a common IAM role to use for setting up access to the member accounts. You will provide this role name when configuring the AWS unified connector in Trust Lifecycle Manager. Apply the role to all the member accounts to manage, and configure it with the following permissions:

To use a member (non-management) account to authenticate an AWS unified connector with organization scope, using granular permissions:

  1. Make sure the AWS Account Management service is enabled for the AWS organization.

  2. Create a user in the member account to use for authentication, with the following properties:

    • Apply a custom policy with the following minimum set of permissions:

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "Statement1",
                  "Effect": "Allow",
                  "Action": [
                      "organizations:DescribeOrganization",
                      "organizations:DescribeOrganizationalUnit",
                      "sts:AssumeRole",
                      "sts:GetSessionToken",
                      "sts:GetAccessKeyInfo"
                  ],
                  "Resource": [
                      "*"
                  ]
              }
          ]
      }
    • (Optional) To discover certificates in the member account used for authentication, also add the following permissions to the custom policy:

      "acm:ListCertificates",
      "acm:DescribeCertificate",
      "acm:GetCertificate",
      "acm:ListTagsForCertificate",
      "acm:ImportCertificate",
      "acm:AddTagsToCertificate",
      "elasticloadbalancing:DescribeLoadBalancers",
      "elasticloadbalancing:ModifyLoadBalancerAttributes",
      "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
      "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
      "elasticloadbalancing:DescribeListenerAttributes",
      "elasticloadbalancing:DescribeListenerCertificates",
      "elasticloadbalancing:DescribeListeners",
      "elasticloadbalancing:DescribeLoadBalancerAttributes",
      "elasticloadbalancing:DescribeSSLPolicies",
      "elasticloadbalancing:AddListenerCertificates",
      "elasticloadbalancing:ModifyListener",
      "elasticloadbalancing:ModifyListenerAttributes",
      "elasticloadbalancing:RemoveListenerCertificates",
      "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
      "elasticloadbalancing:DescribeAccountLimits",
      "cloudfront:ListDistributions",
      "cloudfront:GetDistribution",
      "cloudfront:UpdateDistribution",
      "iam:ListServerCertificates",
      "iam:ListServerCertificateTags",
      "iam:ListSigningCertificates",
      "iam:GetServerCertificate",
      "secretsmanager:ListSecrets",
      "secretsmanager:GetSecretValue",
      "secretsmanager:ListSecretVersionIds",
      "secretsmanager:DeleteSecret",
      "secretsmanager:CreateSecret",
      "secretsmanager:PutSecretValue"
  3. Create a custom role (for example, CrossAccountAccess) in the management account, with the following properties:

    • Trusts the user account created in step 2.

    • Create a custom policy with the following minimum set of permissions and map it to the custom role:

      "organizations:ListAccounts",
      "organizations:ListAccountsForParent",
      "organizations:ListChildren",
      "organizations:ListParents",
      "organizations:ListOrganizationalUnitsForParent",
      "organizations:ListRoots",
      "organizations:DescribeAccount",
      "organizations:DescribeOrganization",
      "organizations:DescribeOrganizationalUnit",
      "account:ListRegions"
    • (Optional) To discover certificates in the management account itself, also add the following permissions to the custom policy:

      "acm:ListCertificates",
      "acm:DescribeCertificate",
      "acm:GetCertificate",
      "acm:ListTagsForCertificate",
      "acm:ImportCertificate",
      "acm:AddTagsToCertificate",
      "elasticloadbalancing:DescribeLoadBalancers",
      "elasticloadbalancing:ModifyLoadBalancerAttributes",
      "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
      "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
      "elasticloadbalancing:DescribeListenerAttributes",
      "elasticloadbalancing:DescribeListenerCertificates",
      "elasticloadbalancing:DescribeListeners",
      "elasticloadbalancing:DescribeLoadBalancerAttributes",
      "elasticloadbalancing:DescribeSSLPolicies",
      "elasticloadbalancing:AddListenerCertificates",
      "elasticloadbalancing:ModifyListener",
      "elasticloadbalancing:ModifyListenerAttributes",
      "elasticloadbalancing:RemoveListenerCertificates",
      "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
      "elasticloadbalancing:DescribeAccountLimits",
      "cloudfront:ListDistributions",
      "cloudfront:GetDistribution",
      "cloudfront:UpdateDistribution",
      "iam:ListServerCertificates",
      "iam:ListServerCertificateTags",
      "iam:ListSigningCertificates",
      "iam:GetServerCertificate",
      "secretsmanager:ListSecrets",
      "secretsmanager:GetSecretValue",
      "secretsmanager:ListSecretVersionIds",
      "secretsmanager:DeleteSecret",
      "secretsmanager:CreateSecret",
      "secretsmanager:PutSecretValue"
  4. Create a custom role in all the child accounts to manage through the connector, with the following properties:

    • Same name as the custom role created in the management account in step 3.

    • Trusts the user account created in step 2.

    • Includes the following permissions:

To authenticate an AWS unified connector with account scope, create an IAM user in the AWS account and apply a custom policy with the following permissions:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Action": [
                                "acm:ListCertificates",
				"acm:DescribeCertificate",
				"acm:GetCertificate",
				"acm:ListTagsForCertificate",
				"acm:ImportCertificate",
				"acm:AddTagsToCertificate",
				"elasticloadbalancing:DescribeLoadBalancers",
				"elasticloadbalancing:ModifyLoadBalancerAttributes",
				"elasticloadbalancing:SetLoadBalancerListenerSSLCertificate",
				"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
				"elasticloadbalancing:DescribeListenerAttributes",
				"elasticloadbalancing:DescribeListenerCertificates",
				"elasticloadbalancing:DescribeListeners",
				"elasticloadbalancing:DescribeLoadBalancerAttributes",
				"elasticloadbalancing:DescribeSSLPolicies",
				"elasticloadbalancing:AddListenerCertificates",
				"elasticloadbalancing:ModifyListener",
				"elasticloadbalancing:ModifyListenerAttributes",
				"elasticloadbalancing:RemoveListenerCertificates",
				"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                                "elasticloadbalancing:DescribeAccountLimits",
                                "cloudfront:ListDistributions",
				"cloudfront:GetDistribution",
				"cloudfront:UpdateDistribution",
				"iam:ListServerCertificates",
				"iam:ListServerCertificateTags",
				"iam:ListSigningCertificates",
				"iam:GetServerCertificate",	
				"secretsmanager:ListSecrets",
				"secretsmanager:GetSecretValue",
				"secretsmanager:ListSecretVersionIds",
				"secretsmanager:DeleteSecret",
				"secretsmanager:CreateSecret",
				"secretsmanager:PutSecretValue"
			],
			"Resource": [
				"*"
			]
		}
	]
}