---
title: AWS Private CA root certificate authority should be disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > AWS Private CA root certificate
  authority should be disabled
---

# AWS Private CA root certificate authority should be disabled
 
## Description{% #description %}

AWS Private CA root certificate authority should be disabled. Root CAs are the trust anchor for your PKI hierarchy and should be kept offline (disabled) when not actively signing subordinate CA certificates to minimize the risk of compromise.

## Remediation{% #remediation %}

Disable your root certificate authority.

### From the console{% #from-the-console %}

1. Open the [AWS Private CA console](https://console.aws.amazon.com/acm-pca/).
1. Select your root CA.
1. Choose **Actions** > **Disable**.
1. Confirm the action.

### From the command line{% #from-the-command-line %}

```bash
aws acm-pca update-certificate-authority \
    --certificate-authority-arn <root-ca-arn> \
    --status DISABLED
```