A-IAM-19

Account Root User Has Signing Certificates

Risk:
High

AWS root account users should not have attached Signing Certificates.


Details

AWS accounts require a root user to create and assume ownership of the AWS account. As the root user and owner of an AWS account the root user exists before any other identities, such as IAM Users or IAM Roles are created. Therefore the root user has ultimate ownership of the account and access to everything in most cases.

As the root user effectively has full access to an account their access and activities should be protected as much as possible. Root users operate similarly to IAM Users, which means that they are able to create Access Keys and uploading Signing Certificates. Both Access Keys and Signing Certificates are directly attached to the root user account and therefore their maintenance becomes part of the root user’s responsibilities and maintenance.

This arrangement means that managing any Signing Certificates are attached to and managed by a user who has a substantial number of irrevocable permissions to other services within the AWS Account. As a result, this exposes the root user to unnecessary risks when managing and maintaining these Signing Certificates due to the extra activity on the root account increasing the number of root account logins, issued tokens and general activity. As Signing Certificates can be uploaded and managed by any IAM User there’s no need to relegate their maintenance to the root user.

Your root user is an entity which should not be used often, kept secret and kept safe. Each login in most authentication systems, including AWS, generates artefacts such as short-lived tokens or requires the communication of long-lived tokens (eg., usernames and passwords). Therefore, logging in carries risks that are not necessary for day-to-day tasks. Exposing sensitive users, such as the root user, to additional logins and activities increases the potential for security breaches or compromises. Since any entity with suitable permissions can manage upload or manage Signing Certificates, having Signing Certificates attached to the root user is simply unnecessary.

Remediation

Transfer the Signing Certificates currently under root user control to a newly created or existing IAM User. Additionally, reconfigure your AWS services that are using Signing Certificates to utilise those owned by the new IAM User.

It’s important to note that Signing Certificates are an older service from AWS and are intended to be replaced by AWS Certificate Manager (ACM), which allows you to create and manage PKI assets in a more structured way, independent of IAM identities. Therefore, during the migration process, it is advisable to check if your local region and applicable services can utilise the same certificates uploaded to AWS Certificate Manager instead of relying on Signing Certificates tied to an IAM User.

SkySiege Cloud Assessments can detect if Signing Certificates are attached to your root users without needing root user access. Any AWS Accounts where the root user has signing certificates attached will be immediately detected and listed in the report delivered the same day:

Discover if you're vulnerable

SkySiege Cloud Security Assessments scan for this issue and provide same-day reports..
Available for individual projects or organisations.

Related Tests