Amazon Private Certificate Authority controls
These controls are related to Amazon Private CA resources.
These controls may not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.
[PCA.1] Amazon Private CA root certificate authority should be disabled
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2
Category: Protect > Secure network configuration
Severity: Low
Resource type:
AWS::ACMPCA::CertificateAuthority
Amazon Config rule:
acm-pca-root-ca-disabled
Schedule type: Periodic
Parameters: None
This control checks if Amazon Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled.
With Amazon Private CA, you can create a CA hierarchy that includes a root CA and subordinate CAs. You should minimize the use of the root CA for daily tasks, especially in production environments. The root CA should only be used to issue certificates for intermediate CAs. This allows the root CA to be stored out of harm's way while the intermediate CAs perform the daily task of issuing end-entity certificates.
Remediation
To disable the root CA, see Update CA status in the Amazon Private Certificate Authority User Guide.