As an AWS consultant, you need to help the team create a private Certificate Authority (CA) in ACM. The certificates generated from the CA are used for internal API endpoints. For security purposes, you need to control the access to the private CA. For example, most users should only have read access to the private CA certificates. What is the most suitable way for you to configure the access?

Answer options:

A.Create an ACM private CA policy and associate it with the private Certificate Authority in ACM. Assign the read-only actions to the IAM entities in the “Principal” field.
B.Manage a key policy in AWS KMS and use it to control the access. Make sure that read-only IAM entities are configured as the certificate users in the key policy.
C.Create the below IAM policy and attach it to IAM users, groups or roles:
{
 "Version":"2012-10-17",
 "Statement":{
"Effect":"Allow",
"Action":[
 "acm-pca:DescribeCertificateAuthority",
 "acm-pca:ListCertificateAuthorities",
 "acm-pca:GetCertificate"
],
"Resource":"*"
 }
}
D.Configure the below resource policy and attach it to the CA certificate in ACM:
{
 "Version":"2012-10-17",
 "Statement":{
"Effect":"Allow",
"Action":[
 "acm:Describe*",
 "acm:List*",
 "acm:GetCertificate"
],
"Resource":"*"
 }
}

Correct Answer – C
ACM Private CA integrates with IAM to configure access. Please refer to
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaAuthAccess.html for details.
Option A is incorrect: Because there is no ACM private CA policy. You need to use IAM policies to control who can access private CAs.
Option B is incorrect: Because KMS key policy is used to control encryption keys instead of private Certificate Authorities.
Option C is CORRECT: Because the IAM policy is suitable for providing a read-only access to IAM entities.
Option D is incorrect: Private Certificate Authorities in ACM does not have resource policies.