Ensure 'root' account does not have an active X.509 signing certificate
An X.509 is a signing certificate used to make secure SOAP-protocol requests to some AWS services. Ensuring AWS 'root' account does not have an active X.509 signing certificate is recommended as a best practice (The root account should not be used to perform day to day operations). Note: Government cloud accounts do not have a root user, and so, should exclude this rule in the CloudGuard UI -> Posture Management -> Exclusions -> Create New Exclusion (for each relevant ruleset)
Risk Level: High
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.68
Category: Security, Identity, & Compliance
GSL LOGIC
IamUser where name like '%root_account%' should have firstCertificate.isActive=false and secondCertificate.isActive=false
REMEDIATION
From Portal
- Click on the AWS account name/number in the upper-right corner
- Choose 'Security credentials' in the menu
- Under 'X.509 certificate', change all certificates with 'Active' status to 'Inactive'.
From Command Line
To generate a credentials report, run:
aws iam generate-credential-report
To get the generated credentials report, run:
aws iam get-credential-report
Note: The 'Content' field from the JSON response should be decoded from Base64 into a CSV file. After that, 'cert_1_active' and 'cert_2_active' columns should be verified as 'FALSE' for the 'root' user.
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/generate-credential-report.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-credential-report.html
IAM User
An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS Security Risk Management
Updated over 1 year ago