This article explains how to enforce multi-party approval for creating Matter-compliant certificate authorities using AWS Private CA and AWS Systems Manager.

• Matter protocol requires multi-party approval for device attestation certificate authorities (CAs)
• Solution uses AWS Systems Manager Change Manager for approval workflow automation
• Four IAM roles required: two approver roles (MatterCA-Admin-1/2), one template reviewer role, two service roles
• Separate individuals must assume each approver role to prevent single-person bypass
• Service Control Policies restrict CA creation to designated service roles only
• SSM documents automate creation of Product Attestation Authority (PAA) and Intermediate (PAI)
• Change templates enforce two-level approval before certificate creation executes
• Change Manager timeline provides audit trail demonstrating multi-party approval compliance

This solution implements Matter PKI Certificate Policy requirements by combining IAM role separation, AWS Systems Manager automation, and Change Manager approval workflows to ensure multi-party approval for Matter-compliant certificate authority creation.