🛡️ AWS Account Root User signing certificates are active🟢

• Contextual name: 🛡️ Root User signing certificates are active🟢
• ID: /ce/ca/aws/iam/delete-root-user-signing-certificates
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS IAM User
  • 🔌 AWS IAM User - credReport.extracts.yaml
  • 🔌 AWS IAM User - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Root Account Active Signing Certificates

Description

Open File

Description

This policy identifies AWS account Root Users that have active X.509 signing certificates listed in the AWS IAM Credential Report.

To strengthen account security, AWS root users should not use X.509 certificates to perform SOAP-based requests to AWS services. X.509 certificates are signing credentials used to authenticate API requests by validating signatures generated with a corresponding private key. While some legacy AWS services support this authentication method, its use by the root user is strongly discouraged.

It is recommended disabling all X.509 certificates associated with the root account. The root user should be reserved strictly for account-level administrative tasks, not for routine operations or application development.

Rationale

Disabling X.509 signing certificates for the AWS root account reduces the risk of unauthorized access to AWS services and resources in the event that a private key is compromised, leaked, or shared unintentionally.

Audit

This policy flags a Root User as INCOMPLIANT based on the cert_1_active and cert_2_active Credential Report attributes. If either attribute is set to true, the Root User is marked as INCOMPLIANT.

... see more

Remediation

Open File

Remediation

Disable X.509 Signing Certificates for the AWS Root Account

All active X.509 signing certificates associated with the AWS root user must be disabled and removed. The root user should not use X.509 certificates for API or SOAP-based requests.

From Command Line

1. Disable the Active X.509 Certificates

Identify the serial number of the active root signing certificate from the AWS Management Console or internal documentation, then deactivate it using the following command:

aws iam update-signing-certificate \
    --certificate-id {{certificate-id}} \
    --status Inactive \
    --user-name root

Repeat this step for any additional active signing certificates.

2. Delete the X.509 Certificates

Ensure that no applications or legacy integrations rely on root X.509 certificates before deletion:

aws iam delete-signing-certificate \
    --certificate-id {{certificate-id}} \
    --user-name root

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 AWS Well-Architected → 💼 SEC01-BP02 Secure account root user and properties			2		no data
💼 Cloudaware Framework → 💼 Credential Lifecycle Management			24		no data