v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 1 AWS Private CA root certificate authority should be disabled

Description

This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled.

With AWS Private CA, you can create a CA hierarchy that includes a root CA and subordinate CAs. You should minimize the use of the root CA for daily tasks, especially in production environments. The root CA should only be used to issue certificates for intermediate CAs. This allows the root CA to be stored out of harm's way while the intermediate CAs perform the daily task of issuing end-entity certificates.

Remediation

To disable the root CA, see Update CA status in the AWS Private Certificate Authority User Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_pca_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_pca_1 --share

SQL

This control uses a named query:

acmpca_root_certificate_authority_disabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = secure_network_configuration
foundational_security_item_id = pca_1
plugin = aws
service = AWS/PrivateCertificateAuthority