Ensure 'root' account does not have an active X.509 signing certificate

An X.509 is a signing certificate used to make secure SOAP-protocol requests to some AWS services. Ensuring AWS 'root' account does not have an active X.509 signing certificate is recommended as a best practice (The root account should not be used to perform day to day operations). Note: Government cloud accounts do not have a root user, and so, should exclude this rule in the CloudGuard UI -> Posture Management -> Exclusions -> Create New Exclusion (for each relevant ruleset)

Risk Level: High
Cloud Entity: IAM User
CloudGuard Rule ID: D9.AWS.IAM.68
Covered by Spectral: Yes
Category: Security, Identity, & Compliance


IamUser where name like '%root_account%' should have firstCertificate.isActive=false and secondCertificate.isActive=false


From Portal

  1. Click on the AWS account name/number in the upper-right corner
  2. Choose 'Security credentials' in the menu
  3. Under 'X.509 certificate', change all certificates with 'Active' status to 'Inactive'.

From Command Line
To generate a credentials report, run:

aws iam generate-credential-report

To get the generated credentials report, run:

aws iam get-credential-report

Note: The 'Content' field from the JSON response should be decoded from Base64 into a CSV file. After that, 'cert_1_active' and 'cert_2_active' columns should be verified as 'FALSE' for the 'root' user.


  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
  2. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/generate-credential-report.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/get-credential-report.html

IAM User

An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset