AWS Private Certificate Authority (CA) Configuration for Secure Access | Exam Prep

Configure Access to Private CA Certificates | AWS Certified Security - Specialty

Question

As an AWS consultant, you need to help the team create a private Certificate Authority (CA) in ACM.

The certificates generated from the CA are used for internal API endpoints.

For security purposes, you need to control the access to the private CA.

For example, most users should only have read access to the private CA certificates.

What is the most suitable way for you to configure the access?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - C.

ACM Private CA integrates with IAM to configure access.

Please refer to.

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html

Option A is incorrect: Because there is no ACM private CA policy.

You need to use IAM policies to control who can access private CAs.

Option B is incorrect: Because KMS key policy is used to control encryption keys instead of private Certificate Authorities.

Option C is CORRECT: Because the IAM policy is suitable for providing a read-only access to IAM entities.

Option D is incorrect: Private Certificate Authorities in ACM does not have resource policies.

Sure, I can provide you with a detailed explanation of the options presented in the question and help you choose the most suitable way to configure the access to the private Certificate Authority (CA) in ACM.

Option A suggests creating an ACM private CA policy and associating it with the private Certificate Authority in ACM. This policy can be used to control the access to the private CA by assigning read-only actions to the IAM entities in the “Principal” field. This option is a valid way to control the access to the private CA. An ACM private CA policy can be used to control the issuance and revocation of certificates and manage the CA's configuration. By assigning read-only actions to IAM entities, you can ensure that users have only the required level of access to the private CA certificates. However, you need to ensure that the policy is properly configured to avoid unauthorized access.

Option B suggests managing a key policy in AWS KMS and using it to control the access to the private CA certificates. This option is also a valid way to control the access to the private CA. By managing a key policy in AWS KMS, you can control the access to the private key that is used to sign the certificates. This ensures that only authorized IAM entities can use the private key to sign certificates. However, this option is more complex than option A, and you need to ensure that the key policy is properly configured to avoid unauthorized access.

Option C suggests creating an IAM policy that allows the IAM entities to describe, list, and get the private CA certificates. This option is also a valid way to control the access to the private CA. By creating an IAM policy, you can control the access to the private CA certificates at the IAM entity level. However, this option does not provide granular control over the access to the private CA certificates, and you need to ensure that the IAM policy is properly configured to avoid unauthorized access.

Option D suggests configuring a resource policy and attaching it to the CA certificate in ACM. This option is not suitable for controlling the access to the private CA certificates. A resource policy can be used to control the access to the resources in ACM, such as the certificates themselves, but it does not provide granular control over the access to the private CA certificates. Therefore, option D is not a suitable way to control the access to the private CA certificates.

In conclusion, option A is the most suitable way to configure the access to the private Certificate Authority (CA) in ACM, as it provides granular control over the access to the private CA certificates and is easy to manage. However, you need to ensure that the policy is properly configured to avoid unauthorized access.