Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Root Account Active Signing Certificates

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: IAM-048

To secure your Amazon Web Services account and adhere to security best practices, ensure that your AWS root user is not using X.509 certificates to perform SOAP-protocol requests to AWS services. An X.509 certificate is a signing certificate utilized for API request validation purposes. Some AWS services use X.509 certificates to approve requests that are signed with a corresponding private key. Cloud Conformity strongly recommends disabling any active X.509 certificates deployed for your root account because using the root user to perform daily operations and develop AWS applications is not a best practice.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Disabling X.509 signing certificates created for your AWS root account eliminates the risk of unauthorized access to certain AWS services and resources, in case the private certificate keys are stolen or shared accidentally.


Audit

To determine if your AWS root account has any active X.509 certificates, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name or number available in the upper-right corner of the management console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the X.509 certificate tab to expand the panel with the X.509 certificates deployed for your root account.

04 Within the X.509 certificates table, in the Status column, check for any certificates with the status set to Active. If the table lists one or more active certificates:

Certificates set to active

there are active X.509 signing certificates deployed for your AWS root user, therefore your root account access configuration does not follow AWS security best practices.

05 Repeat steps no. 1 – 4 for each Amazon Web Services root account that you want to examine for active X.509 certificates.

Using AWS CLI

01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a document that lists all the AWS users (root and IAM users) and the current status of their credentials:

aws iam get-credential-report

02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme:

{
    "Content": "cx7lcixhcm4sdXNlcl9jcmdz ... cdXyLE4vQSxmYWxzZSxOl04=",
    "GeneratedTime": "2018-01-18T16:13:01Z",
    "ReportFormat": "text/csv"
}

03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named aws-iam-credentials-report.csv:

echo -n aaaabbbbccccddddeeee ... ffffgggghhhhiiiijjjj= | base64 –d >> aws-iam-credentials-report.csv

04 Open aws-credentials-report.csv in your favorite CSV file editor and check the values available within cert_1_active and cert_2_active columns for the AWS root account. If one or both cert_1_active and cert_2_active parameters have their value set to TRUE, e.g.

Certificate set to TRUE

your AWS root user has active X.509 signing certificates, therefore your root account access configuration does not follow AWS security best practices.

05 Repeat steps no. 1 – 4 for each Amazon Web Services root account that you want to examine.

Remediation / Resolution

To disable any active X.509 signing certificates created for your AWS root account, perform the following actions:

Note: Disabling X.509 certificates deployed for your AWS root user via Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console using the root account credentials.

02 Click on the AWS account name or number available in the upper-right corner of the management console and select My Security Credentials from the dropdown menu.

03 On Your Security Credentials page, click on the X.509 certificate tab to expand the panel with the X.509 certificates deployed for your root account.

04 Choose the X.509 certificate that you want to disable (see Audit section part I to identify the right resource), then click on the required Make Inactive button, available within the Actions column, to disable the selected signing certificate. Once the certificate become inoperative, its status should change to Inactive.

05 Repeat steps no. 1 – 4 for each AWS root account that you want to secure by disabling its active X.509 certificates.

References

Publication date Apr 1, 2018