Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Private Certificate Authority controls

These controls are related to Amazon Private CA resources.

These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.

[PCA.1] Amazon Private CA root certificate authority should be disabled

Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2

Category: Protect > Secure network configuration

Severity: Low

Resource type: AWS::ACMPCA::CertificateAuthority

Amazon Config rule: acm-pca-root-ca-disabled

Schedule type: Periodic

Parameters: None

This control checks if Amazon Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled.

With Amazon Private CA, you can create a CA hierarchy that includes a root CA and subordinate CAs. You should minimize the use of the root CA for daily tasks, especially in production environments. The root CA should only be used to issue certificates for intermediate CAs. This allows the root CA to be stored out of harm's way while the intermediate CAs perform the daily task of issuing end-entity certificates.

Remediation

To disable the root CA, see Update CA status in the Amazon Private Certificate Authority User Guide.