IAM Root Account Has Active X.509 Certificates

Overview

The root user for this AWS account has active X.509 signing certificates. X.509 certificates are used for API request validation purposes and some AWS services use them to approve requests signed with a corresponding private key.

Using the root user to perform daily operations and develop AWS applications is not a best practice. Active X.509 certificates deployed for your root account create a security risk because if the private certificate keys are stolen or shared accidentally, they could be used to gain unauthorized access to certain AWS services and resources.

It is strongly recommended to disable any active X.509 certificates for your root account and instead create separate IAM users with limited access following the principle of least privilege for programmatic access to AWS services.

Vendor

AWS

Cloud Service

IAM

PCI DSS 2.1, PCI DSS 2.2, PCI DSS 7.2.1

CIS AWS v1.5.0 1.7

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html, https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html

Severity

Item Types

Custom::AWS::IAM::Account

Overview​

Vendor​

Cloud Service​

Related Requirements​

Related Controls​

References​

Severity​

Item Types​