Back to All Checks
Low PrivateCA Regional

AWS Private CA root certificate authority should be disabled

NIST 800-53ISO 27001

Description

This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if a root CA is enabled. Root CAs should only be used to issue certificates for subordinate CAs and generally remain disabled to minimize risk.

Remediation

Disable root certificate authorities in AWS Private CA and use subordinate CAs for day-to-day operations.

Steps

  1. Open the AWS Private CA console.
  2. Select the root CA.
  3. Choose 'Disable' to disable the root CA.
  4. Use subordinate CAs for issuing end-entity certificates.

Compliance

NIST 800-53ISO 27001
Start Your Free Security Check