IAM Role: AWS/ACM/Operator

Permission	Grant
acm-pca:CreateCertificateAuthorityAuditReport	Operator
acm-pca:TagCertificateAuthority	Operator
acm-pca:UntagCertificateAuthority	Operator
acm:AddTagsToCertificate	Operator
acm:RemoveTagsFromCertificate	Operator
acm-pca:GetCertificate	ReadOnly
acm-pca:GetCertificateAuthorityCertificate	ReadOnly
acm-pca:GetCertificateAuthorityCsr	ReadOnly
acm-pca:GetPolicy	Metadata
acm-pca:ListCertificateAuthorities	Metadata
acm-pca:ListPermissions	Metadata
acm-pca:ListTags	Metadata
acm:DescribeCertificate	Metadata
acm:GetAccountConfiguration	Metadata
acm:GetCertificate	Metadata
acm:ListCertificates	Metadata
acm:ListTagsForCertificate	Metadata