Open menu
-->

Root Account Active Signing Certificates

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

To secure your Amazon Web Services account and adhere to security best practices, ensure that your AWS root user is not using X.509 certificates to perform SOAP-protocol requests to AWS services. An X.509 certificate is a signing certificate utilized for API request validation purposes. Some AWS services use X.509 certificates to approve requests that are signed with a corresponding private key. Cloud Conformity strongly recommends disabling any active X.509 certificates deployed for your root account because using the root user to perform daily operations and develop AWS applications is not a best practice.

This rule resolution is part of the Cloud Conformity Security Package

Disabling X.509 signing certificates created for your AWS root account eliminates the risk of unauthorized access to certain AWS services and resources, in case the private certificate keys are stolen or shared accidentally.

Audit

To determine if your AWS root account has any active X.509 certificates, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name or number available in the upper-right corner of the management console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the X.509 certificate tab to expand the panel with the X.509 certificates deployed for your root account.

04 Within the X.509 certificates table, in the Status column, check for any certificates with the status set to Active. If the table lists one or more active certificates:

Certificates set to active

there are active X.509 signing certificates deployed for your AWS root user, therefore your root account access configuration does not follow AWS security best practices.

05 Repeat steps no. 1 – 4 for each Amazon Web Services root account that you want to examine for active X.509 certificates.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a document that lists all the AWS users (root and IAM users) and the current status of their credentials:

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme:

{
    "Content": "cx7lcixhcm4sdXNlcl9jcmdz ... cdXyLE4vQSxmYWxzZSxOl04=",
    "GeneratedTime": "2018-01-18T16:13:01Z",
    "ReportFormat": "text/csv"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named aws-iam-credentials-report.csv:

echo -n aaaabbbbccccddddeeee ... ffffgggghhhhiiiijjjj= | base64 –d >> aws-iam-credentials-report.csv

04 Open aws-credentials-report.csv in your favorite CSV file editor and check the values available within cert_1_active and cert_2_active columns for the AWS root account. If one or both cert_1_active and cert_2_active parameters have their value set to TRUE, e.g.

Certificate set to TRUE

your AWS root user has active X.509 signing certificates, therefore your root account access configuration does not follow AWS security best practices.

05 Repeat steps no. 1 – 4 for each Amazon Web Services root account that you want to examine.

Remediation / Resolution

To disable any active X.509 signing certificates created for your AWS root account, perform the following actions:

Note: Disabling X.509 certificates deployed for your AWS root user via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name or number available in the upper-right corner of the management console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the X.509 certificate tab to expand the panel with the X.509 certificates deployed for your root account.

04 Choose the X.509 certificate that you want to disable (see Audit section part I to identify the right resource), then click on the required Make Inactive button, available within the Actions column, to disable the selected signing certificate. Once the certificate become inoperative, its status should change to Inactive.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to secure by disabling its active X.509 certificates.

References

Publication date Apr 1, 2018