To secure your Amazon Web Services account and adhere to security best practices, ensure that your AWS root user is not using X.509 certificates to perform SOAP-protocol requests to AWS services. An X.509 certificate is a signing certificate utilized for API request validation purposes. Some AWS services use X.509 certificates to approve requests that are signed with a corresponding private key. Cloud Conformity strongly recommends disabling any active X.509 certificates deployed for your root account because using the root user to perform daily operations and develop AWS applications is not a best practice.
This rule can help you with the following compliance standards:
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Security Disabling X.509 signing certificates created for your AWS root account eliminates the risk of unauthorized access to certain AWS services and resources, in case the private certificate keys are stolen or shared accidentally.
Audit
To determine if your AWS root account has any active X.509 certificates, perform the following:
01 Sign in to the AWS Management Console using the root account credentials.
02 Click on the AWS account name or number available in the upper-right corner of the management console and select My Security Credentials from the dropdown menu.
03 On Your Security Credentials page, click on the X.509 certificate tab to expand the panel with the X.509 certificates deployed for your root account.
04 Within the X.509 certificates table, in the Status column, check for any certificates with the status set to Active. If the table lists one or more active certificates:
there are active X.509 signing certificates deployed for your AWS root user, therefore your root account access configuration does not follow AWS security best practices.
05 Repeat steps no. 1 – 4 for each Amazon Web Services root account that you want to examine for active X.509 certificates.
01 Run get-credential-report command (OSX/Linux/UNIX) to obtain the IAM credential report for your AWS account. A credential report is a document that lists all the AWS users (root and IAM users) and the current status of their credentials:
aws iam get-credential-report
02 The command output should return the document in a TEXT/CSV format, encoded with the Base64 encoding scheme:
{
"Content": "cx7lcixhcm4sdXNlcl9jcmdz ... cdXyLE4vQSxmYWxzZSxOl04=",
"GeneratedTime": "2018-01-18T16:13:01Z",
"ReportFormat": "text/csv"
}
03 Decode the IAM credential report content from the command line (OSX/Linux/UNIX) using the Base64 string returned at the previous step as the input data. In the following example, the report is decoded and saved to a file named aws-iam-credentials-report.csv:
echo -n aaaabbbbccccddddeeee ... ffffgggghhhhiiiijjjj= | base64 –d >> aws-iam-credentials-report.csv
04 Open aws-credentials-report.csv in your favorite CSV file editor and check the values available within cert_1_active and cert_2_active columns for the AWS root account. If one or both cert_1_active and cert_2_active parameters have their value set to TRUE, e.g.
your AWS root user has active X.509 signing certificates, therefore your root account access configuration does not follow AWS security best practices.
05 Repeat steps no. 1 – 4 for each Amazon Web Services root account that you want to examine.
Remediation / Resolution
To disable any active X.509 signing certificates created for your AWS root account, perform the following actions:
Note: Disabling X.509 certificates deployed for your AWS root user via Command Line Interface (CLI) is not currently supported.References
- AWS Documentation
- AWS IAM FAQs
- IAM Best Practices
- Getting Credential Reports for Your AWS Account
- X.509 client certificates
- AWS Command Line Interface (CLI) Documentation
- iam
- get-credential-report